Just reading up on Parameterised queries, which seem to be the last word in database defence, and was wondering the following:
I have an existing PHP/MySQL self-built CMS where ALL inputs (bar checkboxes and radio buttons) are subject to real_escape_string. There is an admin section accessible via a sha1 encrypted password and a matching username where a small (3) group of trusted people can update content (tinyMCE), upload photos, etc. Strictly smalltime. None of my queries are parameterised, but are only executed after escaping.
There are no inputs taken from the general public, but I do want to open it up to user-submitted forms later.
My host is a private one, with a very good record.
All else being equal, how secure am I?
I’d rather use parametrized / prepared statements. Compared to just escaping input, they let you specify type which is handy (you don’t have, for instance, to convert datetime values to server-specific format), and it also resolves ambiguity in handling conversion errors by different RDMS. For example, query
SELECT * FROM table1 WHERE int_field='aaa'(int_field is integer) returns records with int_field equals 0 in Mysql, raises error in Oracle and SQLServer, and returns empty set in SQlite