Like my title, I want to know how to create a prepared statement without using MySQLi or PDO. The main point is learning the process of creation and it’s security. I have nearly “ZERO-KNOWLEDGE” in this. Tried googling the topic but it seems that my googling skills have failed me. I’ve blindly learned that prepared statement is pretty secure from some websites but I do not see the actual point that it is secure. Can some of you clarify why it is? That would be a big help. I have my own assumption that creating a prepared statement is simply creating a function that receive string and replace all special character with str_replace like:
$org_sql = 'SELECT * FROM `my_table` WHERE `table_id`=?';
$prepared_sql = replaceQueryString($org_sql, 10);
function replaceQueryString($str, $replace) {
// Do the replace where ? will be replaced by $replace here.
return $str;
}
But I wonder if that will raise the level of the security, it looks rather plain to me.
If you don’t want to waste time answering this just point me to where the resource is available. So in summarize.
- How to create a MySQL prepared statement?
- Why it is secure?
Many thanks.
There are two types of prepared statements, the emulated prepared statements and the native prepared statements. What you are doing is emulating the prepared statements.
In php level, you could only emulate the prepared statement by replacing the placeholder with secure values. (Ex: quote the string, escape the special char, and so on…)
Because the prepared statements prevent the sql injection.
PS:
PDO has the option of PDO::ATTR_EMULATE_PREPARES, which enables or disables emulation of prepared statements.