Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I understand that parameterized queries are essential when user-submitted data is on the prowl, however my question is whether this applies to user-TAMPERABLE data?
So if we have an url such as “…/?id=1”, would it be necessary to prepare any statement using $id or would URL encoding remove the threat?
Joe
Why wouldn’t you use prepared statements / paramaterised queries for all situations where there is external/variable input?
The only queries you can trust are those where every element is hardcoded, or derived from hardcoded elements within your application.
Do not even trust data that you have pulled from your own database. This counts as external / variable data. A sophisticated attack can use more vectors than a simple “modifying a query string parameter”.
I think for the tiny amount of extra code overhead, it is completely worth the peace of mind you will get from knowing your queries are protected.