PDO::ATTR_EMULATE_PREPARES => false

4
votes

I'm new to php and PDO ,so i read this response to a similar post->

Does PDO really not use prepared statements with mysql? Yes, by default (at least with version I tested) but native mode can be turned on manually. If not, can it be forced to do so By employing PDO::ATTR_EMULATE_PREPARES setting, the name is pretty self-explanatory. $dbh->setAttribute( PDO::ATTR_EMULATE_PREPARES, false ); should you do that? That's hardest question of them all. Well, I'd say - yes, you should. If you choose PDO as your db driver, there is no point in using it in the emulation mode.
Your Common sense

Aren't prepared statements secure from SQL injection, why change if from 'true'->false?? what is native mode??

2
phppdo
This question and its answers might also help: stackoverflow.com/questions/10113562/…ComFreek

2 Answers

2
votes

I've changed my mind since then.

First of all, every mode is equally safe.
It is not native binding that makes prepared statement safe, but general principle of parameterized statement, which does complete formatting and thus producing invulnerable query.

So, I'd rather keep emulation mode on, as it makes more sense with average web usage and allows minor conveniences, such as more sensible error messages (with data actually substituted in the query) or multiple placeholders with same name.

The only reason to change from emulation to native mode is another benefit of prepared statements - a possibility to execute once prepared statement multiple times. But, as mentioned above, it seldom needed.

-5
votes

depending on what is most important for you - easy coding and few line or a proper way to do it an to avoid sql injection. as far as you do not work with huge database it has no effect on speed so better to leave it avay you can code like

$result = $this->db->select('SELECT * FROM tbl_users WHERE login = :login AND password = :password', $arraiul);

or like that

function editusers(){
        $id = $_POST['id'];
        $name = $_POST['name'];
        $login = $_POST['username'];
        $password = $_POST['password'];
        $email = $_POST['email'];
        $power = $_POST['power'];
        if ($password ==''){
            $sqlstm = "UPDATE tbl_users SET name='$name', login='$login', email='$email', power='$power' WHERE id='$id'";
        } else {
            $sqlstm = "UPDATE tbl_users SET name='$name', login='$login', password=MD5('$password'), email='$email', power='$power' WHERE id='$id'";
        }
        $sth = $this->db->prepare($sqlstm);
        $sth->execute();        
    }
enter code here