Parameterized queries

Delusion
Disclosure
Comments

Delusion
"Use parameterized queries, Luke!" (implied "to make yourself safe from SQL injection")


Disclosure
This is another gospel of the PHP folks.
And, like a previous one, completely misunderstood.

First, most people confuse parameterized queries with native prepared statements supported by modern mysql drivers.
And then, these prepared statements considered Silver Bullet of Safety and the only answer to the Ultimate Question of Life, the Universe, and SQL Injection.

Needless to mention that both statements but a mere delusions.

Okay, let's make things straight

1. Parameters is not a synonym for the prepared statements. Prepared statements are database-handled parameters, with very limited functionality.
2. PDO and Mysqli holds no monopoly for the parameterized queries in PHP. One can create their own robust solution in a matter of hour, using sprintf() function and old mysql extension.
3. So, whatever mechanism utilizing some sort of "proxy", representing the actual value in the query (properly processed of course), can be called "parameters".
4. Most important part: Parameters should be of different types. Otherwise the use will be very limited yet toilsome.


Now let's see to all these solutions, peddled by the good Samaritans in the every answer on the Stackoverflow:

1. Lack of the most important paramters, such as for the identifiers (table and field names), for the IN() statement (which makes pain in the back for anyone who tries to use it with prepared statements)