I am putting together a fairly simple web app that uses user inputted data to act upon an sqlite database and it was brought to my attention ‘sanitizing’ strings was possibly not enough and could raise further problems. As I understand it I should use prepared statements. In my research I found there is PDO(php data object) that has a prepare function and also the php sqlite3 extension also offers a prepare statement. If it matters, at this point there is no login and no sensitive info in the database.
The PDO seems ‘alien’ to me and I do not really understand why/how I need to use it. I can copy/paste the code and get it to work, but the ‘idea’ of it escapes me.
So I guess the question is would the PDO OR sqlite3 prepare function be best and briefly why.
Thanks so much,
Todd
The PDO extension is a wrapper that unifies access to many different databases. As long as the SQL queries you are writing in it are compatible, you can switch databases simply by connecting to a different database in
new PDO(...), while not needing to touch the rest of the code.The sqlite3 extension exclusively works with SQLite databases. If you want to connect to a different database later, you’ll have to rewrite all the code that uses sqlite3 functions.
Other than that, prepared statements and how they work is basically identical between these two extensions. I’d vote for PDO, since it offers more flexibility in the long run and means you only have to learn one interface to use many different databases. Note of course that you cannot mix them, you have to use one or the other exclusively. You cannot use the
preparemethod of one andexecuteof the other.