cool thanks. Yep got some validation stuff beforehand. I guess it might be neater to specify the top way, but then it also introduces more risk of error when copying between the variable and the bind. maybe i’ll do the lower as shorter amount of code and just put up with it looking (to my eyes) slightly more ugly.
That said, I’ve read comments where people only ever use internal variables to post into queries, and never $_POST or $_GET on the basis that if they make a habit of not using the globals, they can never miss out the validation steps - if they miss those steps out, the internal variable will be blank.
That’s because you MOVE the data out of the $_POST or $_GET when you VALIDATE or SANITIZE it. That way you know that while $_POST and $_GET can contain anything at all (tainted) , all your other variables will contain values that are known to be acceptable values for those fields to contain (untainted).
While using bind eliminates the possibility of SQL injection by keeping the SQL and data separate, it doesn’t eliminate the possibility of filling the database with meaningless invalid junk.
These are things you should be doing in order to ensure that the data your script is processing are meaningful. Any security they provide is simply a side effect of what you need to have in place for the script to work.
Using prepared statements i am safe (as much as i can be) from SQL injection? yes?
From what i understand though if i don’t check the variables script could be inserted into the database which, whilst not affecting the sql on the way in, could do something if outputted? yes?
I am assuming there is no point doing mysqli_real_escape_string on the variables?
It’s not just that script could be inserted, it’s that invalid data could go there too, which could cause you problems further down the line as you then try to use that data. For example if a user tries to enter an email address that isn’t in a valid format, it’s better to deal with that while they’re entering it than to accept it and have to deal with it every time you try to use that address.
Not a problem doing that already (could always do more/better though). So telephone numbers are numeric, email must contain @ and a . etc
Doing all this server side so they can’t bypass JS. Also using HTML5 form elements now so there is a double layer to minimize rubbish. So html5 email field with required gives a message before the form is submitted and then if it gets past that and is still malformed my validation throws it back and gives a message.
Hopefully will stop a lot of the rubbish getting through and will just have to evolve if i see anything getting around that.