Use Prepared statements instead of concatenating user-supplied values

[bbertucc]

According to w3..

• Prepared statements reduce parsing time as the preparation on the query is done only once (although the statement is executed multiple times)
• Bound parameters minimize bandwidth to the server as you need send only the parameters each time, and not the whole query
• Prepared statements are very useful against SQL injections, because parameter values, which are transmitted later using a different protocol, need not be correctly escaped. If the original statement template is not derived from external input, SQL injection cannot occur.

Thanks @jrchamp!

[jrchamp]

Glad it was helpful! The third piece about SQL injections is the key motivation for me. There are definitely performance benefits that are possible though when the prepared statement can be reused with multiple sets of inputs.

[bbertucc]

@ebertucc added a few more related docs:

• https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
• https://www.php.net/manual/en/mysqli.query.php

I'm elevating this enhancement to a bug.

Fix coming!

[bbertucc]

I'm adding a bounty to resolve this issue, since I'm busy building new features:

$255.55 will be paid to you if your resolution to this issue is merged.

To participate:

• Convert every SQL query in the main branch to prepared statements.
• Submit a pull request w/ your Venmo user or link to a donation page.
• $255.55 if your update is merged into main.

[bbertucc]

I'm happy to say this issue is closed! And Instant Message Freedom Inc. is receiving $255.55. Way to go @jrchamp!

[bbertucc]

o since, Paypal tells me to increase the impact by sharing the link, I probably should share the donate link: https://paypal.com/donate/?hosted_button_id=ZDJ3L88KQQ5LS&source=url