Effective sub-titles or substitute titles for this article would be “Why Arguing on the Internet is Stupid, Like Setting your Genitals on Fire” or “People Just Like Being Assholes.” But, neither of these seemed catchy enough. I’m sorry, folks, but you’re stuck with what I’ve decided to put in the title bar.

You’ve probably posted something somewhere on the Internet at some point in recent memory, and if you’re a friend of mine it was guaranteed to be a thoughtful, inspirational post (I don’t have dumb friends). So, whether it was on a forum, on a mailing list, on Reddit, or even Facebook, why did your post accumulate dozens of inflammatory remarks? Moreover, why does it often seem that a non-trivial subset of these comments are made in disagreement with your post simply for the sake of disagreement rather than to counter your claims with a substantive riposte?

Fortunately for you, I suffered through a mostly sleepless night laying awake with this question fresh in my mind after having observed (and partaken in) a few discussions on the cultural brewery that is Reddit with the occasional flashback to Slashdot debates, message board posts, and lurking mailing lists watching the ebb and flow of intellectual titans duking it out for all to see.

First, let’s start off with a typical scenario. Someone–probably you–has posted a fairly lengthy, carefully articulated post that delves into a given subject with greater depth than 99.9% of the other contributions. Upon a cursory glance, your immediate competition consists of numerous repeated memes and one-liners, often duplicated with varying degrees of accuracy, and a handful of insightful (but short!) gems that may or may not be applicable to the discussion. Most of these serve as fodder and bait for community members with frighteningly short attention spans. If the post in question is longer than 3 or 4 paragraphs, most genuine replies (those that aren’t “TL;DR”) typically won’t appear for over an hour–anything that appears within 30 minutes or less of the original post may contribute slightly more than other, more immediate, ones, but don’t get your hopes up. Substantive replies take time, because it takes time to read, digest the material, and respond.

In a best case scenario, days will wax and wane, other posts appear to divert attention away from your masterpiece, and no one responds. Worst case, your clever post will attract one of the following three types of replies: 1) Grammar Nazis, 2) visitors looking for disagreement or something to attack, and 3) other intelligent people seeking conversation. Interestingly, upon further analysis, we’ll find that #1 and #2 share many of the same attributes and are actually subsets of the same classification of responses.

First, we’ll deal with the third, because it is the rarest of the three: Intelligent people seeking conversation. Although it’s exceptionally rare, depending on medium, other intelligent people will occasionally find themselves engaged enough in a particular thread that they feel the need to respond. Their replies are often the easiest to identify, because they take the same amount of time to cautiously articulate their reply. Further, any disagreement felt by other intelligent people is usually (but not always) toned down and grounded in established facts. This is because intelligent people are well aware that the best way to be read among an aggregate of mixed quality posts is to disagree politely. Although terse disagreements do happen with intelligent people (Linus Torvalds comes to mind), they’re often the exception rather than the rule, because smart people are also well aware that inciting emotional response is a waste of time. To wit, unleashing an emotional torrent of replies simply wastes valuable screen real estate and precious bandwidth that could otherwise be spent discussing more intellectually valuable subjects. Of course, the smart person will occasionally troll and do so precisely to accomplish the exact opposite of meaningful discussion, but those who find themselves in the crosshairs of such a response are usually targeted for a specific reason.

Second, we’ll discuss one of the most common responses given to smart posts: Grammar Nazis. Grammar Nazi posts are seldom worth a reply. In most cases, the Grammar Nazi is seeking validation because of a personality deficit, or they’re trolling. Regardless of what the Grammar Nazi states, very few commit to the activity with the intention of genuinely engaging others. Instead, corrective posts are done so on a whim as a knee-jerk reaction to a particular grammatical or spelling error, and the rationale provided (I’m only doing this to help!) surfaces as a secondary response whenever the Grammar Nazi is confronted with a need to justify their initial post. Good intentions are very infrequently the motivation for this sort of reply, and if in doubt, it’s usually possible to examine the poster’s past history to determine whether or not it’s a matter of habit. If you absolutely must reply to the Grammar Nazi, it sometimes helps to dig up a mistake they made in a recent post to help illustrate the absurdity of their behavior. After all, no one’s writing a dissertation if they’re partaking of something intended as a means of informal communication.

Finally, the last type of common response smart posts tend to accumulate (there are others, but for this post I’m only examining these three) is the one that’s essentially little more than disagreement for the sake of disagreement. It’s difficult to think of a specific example, because this type of response is that common. Nevertheless, the motivation is usually the same. Disagreement for the sake of disagreement is usually perpetrated by community members who know just enough to be dangerous. They’re the sort who require constant self-validation and reassurance, and it brings a great deal of joy to their day whenever they can isolate an intelligently constructed post and, right or wrong, tear it to shreds with “logical” rebuttals. The hallmark of the disagreement for the sake of disagreement is often the strawman logical fallacy wherein the respondent intentionally restructures, rewords, or otherwise misrepresents statements made in the original post in effort to argue against it more easily. Unsurprisingly, the strawman is also a favorite of the troll, and disagreement for the sake of disagreement is a vehicle used by many novice trolls.

As I mentioned earlier, Grammar Nazis and those who perpetrate disagreement for the sake of disagreement (heretofore known as “disagreers,” to invent a word) do share a surprising number of traits. First and foremost, both groups demonstrate a disconcerting degree of hyper-corrective behavior; that is, they exhibit a strongly emotional need to correct other people, usually for the purpose of self-validation. Furthermore, Grammar Nazis and Disagreers sometimes make up for their hyper-corrective behavior what they lack in self-esteem. This pretentiousness, this inherent desire to constantly demonstrate to the world and to themselves (though usually more to themselves), motivates both far more than the desire to engage in meaningful discourse.

Where Grammar Nazis and Disagreers differ is sometimes, but not always, in terms of facts. Grammar Nazis, particularly established and experienced ones often have sufficient resources and expertise at their disposal that they can quickly provide citations for their particular pet peeves. Although it’s also likely that such citations are simply the result of practice and the accumulation of data related to a handful of external resources (or, optionally, the direct result of Google). Put another way, if you’re especially bothered by a very specific mistake, you’ve probably linked to an authoritative source at least once or twice before, and subsequent interactions are relegated to “more of the same.” Disagreers, on the other hand, generally have more legwork to accomplish if they wish to rely on facts. Although it’s rare, it’s not unheard of for someone who wishes to validate their own intellectual superiority through disagreement by searching for and supplying sources supporting their claims. However, because such an affair requires a great deal of effort, most Disagreers find it easier to resort to the strawman. Therefore, Grammar Nazis tend to rely on citation boilerplate (think canned response), and Disagreers usually rely on the strawman, changing the premise or altering the context of the argument in such a manner that it’s easier for them to dispute.

You may have noticed that I haven’t yet answered the question “why smart posts start arguments?” Don’t worry–I haven’t forgotten. Before I can even begin to answer why this happens, it’s necessary to illustrate a little bit more about the people who usually start the arguments in the first place. The more time you spend understanding their motives, the more effectively you’ll be able to respond (or not) to the onslaught.

First off, while memes and other oft-repeated statements are excellent fodder for people looking for a jovial but shallow interaction, smart posts are fodder for those who seek to conflate their own feeling of superiority, particularly if they first go unnoticed by other smart people who appreciate friendly, intellectual discourse. It has taken me a while to figure out why this might occur, but I think I finally have it pinned down.

Intermission: It’s somewhat ironic, but in the rare circumstance that another smart person notices your post, it reduces the likelihood that disagreement for the sake of disagreement will occur; it might be that this then becomes a matter of safety in numbers. Disagreers, Grammar Nazis, and trolls will then fear being washed out to sea–leastwise, the ones who remain and haven’t gotten bored by trawling through pages of intellectual discussion looking for an opening.

In the midst of interpersonal communication (that is, face-to-face), we have access to a whole side channel of additional out of band communication. There’s body language, verbal cues, inflections, distractions, and a distinct absence of anonymity and the Internet. You may be surprised about that last bit, but I can assure you: It’s there for a reason (I’ll touch on that in a minute). First, Grammar Nazis are automatically excluded due in part to the distinct lack of chat bubbles in real world communications, and second because their timidness is often a prohibitive cost to the awkwardness of interruption conversational flow just to point out that one particular word shouldn’t be used over another. Colloquialisms are the Grammar Nazi’s bane, and so most informal discussions aren’t something they find inclusive. Second, the advantages Disagreers have whenever they’re tucked away behind a screen suddenly evaporate when faced directly with those they’d accuse of being wrong. Certainly the lack of anonymity is important, but so too is the lack of Internet access.

If you recall in my discussion about disagreement for the sake of disagreement, I mentioned that Disagreers will often spend an inordinate amount of time looking up facts with which to slam their targets. While they don’t always do this (the strawman is easier), devout Disagreers will take the time to search for facts–no matter how dubious–supporting their claims. After all, to them, the appearance of sourcing authoritative information is more important than the information itself. Unfortunately, without Internet access and the asynchronous medium of message boards, the synchronous nature of in-person communication usually eliminates any chance to look up factoids on the nearest smart phone (and most people in a conversational tone will simply blow off anything of the sort). Think of it this way: In a conversation with a university professor, facts and figures offered up by the professor will most likely be devoured by those present since they have an active interest in the conversation (“Wow! That’s interesting!”), whereas an uncomfortable pause by another 20-something so he can look down at his smart phone met shortly thereafter with “actually, that’s not true!” is unlikely to go well noticed. For one, the professor is an authoritative source. In contrast, facts offered up by the smart phone reader cannot be independently confirmed as authoritative, and the interruption of conversation (not to mention the trains of thought) is usually seen as pretentiousness if not outright annoying.

I understand that the previous examples are somewhat contrived. There will always be groups of friends with a “fact-o-phile” in the group who likes to look up the weird and unusual for the sake of sharing (sharing is caring) and for the sake of starting new conversation. There will always be a few students who, even in one-on-one conversation with their professors, will always second guess everything stated as fact (channeling the Disagreer mentality–perhaps in some strange twist, the encouragement of “always second guess everything” in taught to students in some fields of study is responsible for this). Generally, though, my assumptions in these cases are that 1) students following around a professor to talk with him or her usually do so because they have an interest in what the professor says and 2) in sufficiently large groups of people, there will invariable be at least one person who has an innate, almost borderline-manic need to disagree with and correct everyone nearby. Fortunately, the latter type of person is far rarer in person than they are online. (N.B.: Do not confuse this type with the pessimistic contrarian who largely disagrees because of their exceptional pessimism and not through any mechanism of self-validation which they wouldn’t care about anyway!)

I believe that anonymity brings out the worst in us at times, and that’s partly why I believe that Disagreers are the most likely to seek out smart posts and respond. It isn’t necessarily that smart posts are arrogantly asking for dispute. It’s that some people just can’t help themselves online. Call it pretentiousness, call it arrogance, call it self-esteem issues, egotism, megalomania, or any number of personality disorders. Smart posts often have a lot of material that can be easily taken out of context, and Disagreers love nothing more than a good disagreement. So what can you do? Ignore them. It’s been said before on numerous forums and mailing lists: Don’t feed the trolls. Disagreers could easily be labeled as such, but the difference is that their trolling tendencies aren’t always premeditated. This may make the Disagreer more benign than an honest-to-goodness troll, but it doesn’t make their disagreement any less annoying–or dangerous.

Think of it this way: In matters of medical issues, if a dispute comes up as to whether or not someone should seek treatment for a specific condition, a true Disagreer might suggest alternative approaches that could potentially worsen the condition. A troll would do so with malicious intent; a Disagreer might do it simply because they are forcing their belief system on others, dislike doctors and pharmaceuticals, or want to demonstrate superior intellect over the original poster. Thus, the net result is the same, but the motivations are entirely different.

Of course, there are many other reasons smart posts start arguments, and in spite of the rather titan word count in this post, I’ve only begun to graze the surface. So, I’ll leave you to consider other circumstances, other personality types, and consider other reasons why such a thing might happen. Feel free to share your own experiences, and I may revisit this post at some point in the future!

A brief but important edit (Oct 31, 2012 ~11PM MDT) to any visitors that may have taken notice of my rather brash letter to the CPSC: I should correct that near as I can tell Buckyballs is not shuttering their doors. I screwed up in my fit of inappropriate (but correctly directed) rage. It was a knee-jerk reaction on my part and–as best as I can tell without hearing directly from Buckyballs–completely false. I was told that they were and read the front page post in that context, angry enough that I wasn’t thinking clearly. For that, I publicly apologize to everyone. I’m sorry about my shoot-first, ask-later behavior. However, I’m still not sorry about the premise of my letter. How I feel about the CPSC hasn’t changed since I first heard about the “voluntary” stay of sales several months ago. I think the agency’s behavior is a terrible misappropriation of taxpayer money, and I think they should themselves be placed under some form of oversight to which they are ultimately held responsible and must answer directly to the public.

However, there is still some truth to my anger. Upon re-reading the statement on getbuckyballs.com, I can only surmise that our favorite types of magnets may be removed in their entirety. What they’ll be replaced with is anyone’s guess, but I imagine that it’ll be something lower powered and “less dangerous” (for some value of perceived danger)–and also less fun. While it doesn’t equate to shuttering the company’s doors, and moving into another product line is certainly a wise idea financially, it does mean that the Buckyballs we used to know and love are likely dead. Gone. Forever.

Regardless, I have retained my letter as I originally wrote it. This means that there’s a large degree of embellishment on my part, but I was upset when I wrote it and under the (mistaken) impression that Buckyballs were no more. Although, I guess that last part is still true to a lesser degree.

Hey, if the CPSC can embellish the facts (okay, okay, completely lie) about the degree of harm brought to the offspring of inept parents who thought it would be funny if their children devoured magnets like Halloween chocolates by conflating the number of injuries, I can embellish what I like, too. My mistakes aside (and I’m expecting to be corrected on this matter by the Buckystaff when they receive the copy I sent them–undoubtedly upset with my factual errors ☺), I still stand by the basic premise: The CPSC is out of control and needs to be reigned in as an organization. Rather than ignoring real, material threats to children’s lives, they’re targeting successful, popular industries. Buckyballs may not yet be gone, but there are a few smaller vendors that did close up shop earlier this year. The narrative is therefore at least partially correct in spirit even if my statements don’t match the immediate facts.

I won’t hazard a guess why the CPSC wants to shut down magnetic toy companies so badly, but I certainly feel–as a geek–that my consumption habits are being unfairly targeted because the CPSC doesn’t want me to have fun. If they really did care about children, they’d spend more time educating parents and less time banning products that have even a slight potential of misuse. To the CPSC: There is a stark difference between products that present a material and immediate hazard to consumers and ones that are only dangerous if they are misused. A gas grill that causes its propane tank to explode when lit is a material, immediate hazard, and represents a fundamental design flaw. Magnets (or guns, or knives, or doors, or hazardous chemicals) that cause harm when misused do not represent a design flaw; they represent instead the ineptitude of the people who have purchased them.

This letter should be considered to be in the public domain. You may use this letter in part or in whole if you desire to write your own response to the CPSC.

Dear CPSC,

I want to thank you in your efforts against Buckyballs and other high-powered magnet distributors. According to the announcement on getbuckballs.com it would finally appear that they’re closing their doors, ridding the free world of dangerous items that should be kept out of the hands of children whose parents’ vocabulary lacks the word “responsibility,” and most importantly out of the hands of responsible adults who understand the term but may or may not have children of their own.

It’s excellent news that we have a government agency working hard during these economically difficult times spending a great deal of effort forcing businesses out of business due to spurious charges and sending some 2,000+ people straight to the unemployment offices. After all, what difference is a couple thousand more people on unemployment going to make on the national debt? Not much, of course, so it likely doesn’t matter. Certainly not to an agency that doesn’t have to make payroll–and doesn’t especially care if it shuts down businesses that do.

What does matter is the absolutely absurd campaign the CPSC has been running against companies selling high powered magnets. Yes, it’s a tragedy whenever children die or must undergo a painful operation because they foolishly swallowed something that should have been kept out of their mouths in the first place. But it’s more disconcerting when a single, un-elected board can decide what businesses are effectively allowed to continue operating and which ones cannot. Worse, when a business can be shut down simply because a relatively small handful of people have levied complaints against them with the support of a couple of fanatical physicians, we are poised to lose many more of our already dwindling freedoms. Yet, there is an almost pathological imbalance between the actual danger presented by magnets and the response of the CPSC contrasted with other products. The CPSC isn’t working to ban buckets, skateboards, bicycles, swimming pools, or motor vehicles, each of which kills far more children per year than rare-earth magnets have in their some 3 or so years of market exposure.

As a consumer who considers himself reasonably informed and educated, these actions puzzle me and strongly hint at a less than impartial response on the CPSC’s behalf. Is this the result of a political motive against what was once a $20 million a year industry? Does the CPSC treat, unequally, the packaging industry responsible for creating buckets simply because they have stronger lobbyists or donate to the right campaigns? Or is the CPSC staffed by individuals who have no background in any of the natural sciences and therefore see magnets as a type of “black magic” that need to be banned simply because they have no idea how they work?

The CPSC represents the interests of consumers, but I can’t help myself from feeling that my voice–and the voice of many other happy consumers of various magnetic toys over the years–has been squelched because of an exceptionally noisy minority. This is the danger when an appointed–not elected–board holds a disproportionate amount of power over the marketplace. The majority has its rights stripped completely because of the ineptitude of the few.

I don’t have children. I’m not planning on having children. I have on my desk as I write this letter a box of Buckyballs and there are no less than three warnings visible: Two on the product box and one on the plastic sleeve in which it was originally shipped. Further, there are at least two additional warnings, one on the orange plastic container holding the magnets and one inside the instructions and product literature. Yet under my bathroom sink, I have harsh cleaners that are undoubtedly highly toxic if ingested and none of them have more than one warning label per bottle. The primary difference? The household cleaners have child-proof caps on them. Why couldn’t the CPSC have negotiated with the magnetic toy industry to ship their goods in child-proof containers as a reasonable compromise?

I can’t answer this question without unnecessary speculation, and I suspect it’s a mix of egotism, a knee-jerk reaction to a largely imagined threat, and political favoritism toward industries that can afford political asylum better known in our great country as “lobbyists.”

Given this, it seems to me that the warnings on these magnets and your response to the danger presented by them are both highly disproportionate to the actual harm they’ve created versus the actual dangers of other products. This product was not marketed to children in any capacity; my first set was purchased via ThinkGeek as a toy for adults (14+), and I’m well aware of the hazards of magnets (though I admit I’m more worried about potential data loss on magnetic disk drives than any material hazard presented to myself by these magnets). It’s a crying shame that a single four letter agency operating under the guise of consumer safety can wield more power and strip consumers of more freedom than certain three letter agencies whose business often necessitates the use of such power (CIA, FBI, even the IRS).

Of course, the Constitution doesn’t protect magnets, so I cannot claim that it’s an inalienable human right to own magnets. What a shame! Had the CPSC been created around the time of the Wright brothers, I suspect human flight would still remain a thing of fairy tales–to say nothing of the automobile, bicycle, horse riding, sports… I could go on.

I’m angry, frustrated, and gravely disappointed at the coddled society we’ve become thanks in no small part to the increased momentum we have spiraling toward an out of control nanny state sponsored by government agencies like the CPSC. While children remain relatively unprotected by very real threats to their safety like those presented by other products, we’re at least kept safe from those that present the least hazard. A reasonable society would have resorted to consumer education and awareness. Yet we are not a reasonable society any longer; we ban first, then tie up affected parties for months (or years) in expensive legislation, often (ab)using the turtle’s pace of the Department of Justice as a means of wearing the defendant’s finances thin. I thank my lucky stars I’m not in an industry that produces material goods that could be subject to such scrutiny.

I look forward to the day the CPSC bans toys containing dihydrogen monoxide. It’s a truly horrid substance responsible for dozens of drowning deaths each year and can harbor dangerous diseases if left to stagnate. I wonder then what the rationale behind such a move might be? If we don’t change course and reign in an out of control agency, then I suspect we may very well find out in 10-20 years.

If this were a perfect world, I’d be overjoyed instead to see the CPSC’s staff standing in the unemployment line rather than the employees of an American business driven OUT of business by the strong arm of the nanny state.

Best Regards,

Benjamin

A spurt of curiosity this evening–more specifically, one of those circumstances we each have from time to time wherein a handful of unrelated thoughts flutter about the conscious mind like a pair of butterflies flitting from flower to flower–consumed me sufficiently that I decided to do a brief Google search on prepared statements. I’m unsure where such a motive originated, but I’m fairly convinced that it was at least tangentially related to some misinformation I’ve heard of late related to web programming advice and also possibly due to my surprise that few commercial PHP bulletin board packages actually use prepared statements.

Before I begin, let’s consider for a moment that last and most disconcerting statement: Few commercial PHP forums use prepared statements. To the uninitiated, this might seem to be a matter of nick-picking unimportant to the real world. To the rest of you, it may come as a sad commentary on the state of modern programming and commercial software (perhaps, fittingly, as a commentary on the average run-of-the-mill PHP programmer). Prepared statements certainly aren’t new, and while they’ve been a part of PHP for a number of years now, it’s infuriating that they hardly see common use.

PHP first shipped PDO with PHP 5.1 (available as a PECL extension for PHP 5.0, circa 2004-2005). Intriguingly, for systems that don’t provide PDO support (or the appropriate drivers for PDO), the MySQLi and PostgreSQL functions and classes have provided prepared statements for quite some time, and the SQLite 3 drivers have provided a prepare() method since PHP 5.3. Commercial bulletin boards, like vBulletin and IPB, have seen many revisions in the years since, and several free/open source packages including phpBB have been part of similarly major overhauls. Yet the overwhelming majority of them still make no use of prepared statements. Humorously, as of this writing, vBulletin does provide a misleadingly-named sql_prepare method in its database class, but it doesn’t emulate prepared statements–it simply provides an escape wrapper with data type introspection and casting.

PDO has been available for nearly 8 years and many RDBMS drivers for PHP have offered prepared statements for at least that long (longer in the case of PostgreSQL if memory serves correctly). Yet every year or two, new major versions of popular PHP message boards are released, and every major release sees the same legacy database code under the hood. Perhaps it’s intentional. Perhaps the developers still want to support PHP 4.x in spite of the fact that it went EOL in 2008. Perhaps they just don’t know any better. Who knows!

Why Prepared Statements?

A prepared statement or parameterized statement, as it is occasionally known by in DBA parlance, is a specially-formatted SQL string that utilizes placeholders, either question marks (?), special named parameters (such as “:name”), or other database-specific strings, to indicate to the database or the driver where data is to be inserted. This has the benefit that, in theory at least, any data managed by a prepared statement is unlikely to serve as a vector for SQL injection attacks. The reason this works is because most drivers dispatch the prepared statement and its data separately on the wire and process them independently providing a certain degree of isolation. But wait, there’s more! Because of the implementation nature of prepared statements on most platforms, the query planner can often optimize and partially compile the statement such that, if it runs again, much of the legwork has already been completed and the query can run faster. Software like forums or blogs often execute the same query multiple times–with different data–so one might think it would be a natural fit. If it’s such a good thing, why do so many popular packages forgo such a benefit?

While I can’t answer for many developers, I think I know what at least part of the answer might be. First, for enormous code bases like vBulletin (and phpBB to a lesser extent), virtually no effort is made to separate the application logic from the underlying model. I’ll be fair in my distinction: The presentation layer is thankfully separated from the mess in the form of templates, but the remaining code is a bowl of spaghetti not unlike that of many of the very first PHP applications (and Perl!) that first graced the Internet over a decade ago. Because the model (and, by extension, the SQL) is so deeply entrenched in the functional logic of the application, reworking it to use prepared statements–and consider, also, that many of these queries are generated programmatically–would be a tremendous undertaking of many man-hours. Cleaning up the code properly such that it is more of a structurally sound framework (think MVC) is most certainly out of the picture. It isn’t impossible, of course, but when you consider that some functions in many of these software packages have persisted since the dawn of time, such refactoring becomes the thing of fairy tales.

To illustrate some of my displeasure, vBulletin version 4.2 still provides an iif function which is little more than a wrapper for the ternary operator (?:) in PHP. The ternary operator has been around since at least PHP4, yet there it is, in all its glory, a legacy function still available from the early days of PHP3 when such a beast didn’t exist!

One might think that it would simply be a matter of adding some logging code to old function calls, tracing the source that called them, and then reworking the culprit code to use built in language features. It might even take less than an afternoon.

The Drawbacks Programmer Mistakes

While prepared statements (parameterized queries for those of you who are embarrassingly excited by more elaborate verbiage) aren’t a panacea (I did it again) for all things SQL injection-like, they’re a good mitigation strategy, but it’s important to use them with caution. As Jason Lam states on the ISC Diary, “I still remember 4-5 years ago when SQL injection just started to become popular, the common mitigation suggested [was] to use prepared statement [sic] as if [they were] a magic bullet. As we [now] understand the SQL injection problem better, we realize that even prepared statement can be vulnerable to SQL injection as well.”

Well, yeah. This is where I smack my forehead. Maybe I’m being overly critical as I re-read a post from 5 years ago, because I’ve had the tremendously good fortune of witnessing some magnificently terrible code in my time as a web application developer.

Mr. Lam goes on to explain the insertion of unchecked user input, but I can’t shake the feeling that there is an implicit overtone in the article that it is somehow the fault of prepared statements. Perhaps more accurately, the article is faulting most of us for having championed prepared statements as a welcome solution to a very common and widespread problem. Realistically, though, it’s not an issue with prepared statements–they work just fine. It’s an issue with developers inappropriately using the tools at their disposal and doing so in a manner that simply transfers the vulnerability from query() to prepare() by forgetting to properly manage incoming data. Though, I should say that I’m inclined to suggest that programmatically assembling a prepared statement is somewhat counter-productive. More on this later.

Ironically, while doing some research for this article, I ran across a couple of posts on Stack Overflow that presented this problem of unchecked user input as one of the primary drawbacks of prepared statements. Really? Drawbacks? If you’re not using named parameters or placeholders for your query data, you’re probably not using prepared statements correctly! But drawbacks? Gee, maybe we were a little too vigilant in telling people to use prepared statements–so much so that they did a find/replace for query and swapped it with prepare. (I’m being facetious; so, to head off any comments to the contrary, it’s not at all possible to simply swap some text, because prepared statements do require a little more work.)

The problem I have with labeling unchecked user input as a drawback of prepared statements is that it is no longer a “real” prepared statement whenever such data is concatenated with the resulting query. Yes, it is still a prepared statement, insofar as calling prepare() on the driver’s end, but it’s no longer being used like a prepared statement. Here’s a hint to new developers, particularly PHP developers since a huge percentage of them are guilty of doing stupid things like this: Never concatenate unchecked input in any query–prepared or otherwise. If you’re using a prepared statement, use it like a damned prepared statement. The moment you start piping data into the query string itself, it’s no longer going to have the benefits of a prepared statement. (I’ll give you a special exception if you’re using LIMIT and concatenating integers with your queries since not all of you may be running MySQL 5.0.7 or later.)

Will the Real Prepared Statement Please Step Forward?

In my mind, and trust me, it’s a very strange place in here, a prepared statement is one that may contain parameters and is “prepared” ahead of time for reuse (that is, compiled) by the driver or the RDBMS (usually the RDBMS). Nothing more, nothing less. The instant some unfiltered data is slapped on to the end of the query, it’s no longer a pure prepared statement; instead, it becomes a mistake. Again: Prepared statements are parameterized queries that are usually compiled by the backend for a little extra speed. A query can contain anything else that the programmer adds into it, but fundamentally, a prepared statement is something that dictates a very specific structure. It certainly cannot overcome the mistakes of a naive developer who, believing that a prepared statement will magically fix all of their (singular they, sorry linguistic purists) security-related woes, use such a tool in addition to dangerous techniques like concatenating unchecked input. Another way to look at it is thus: If prepared statements are prepared (that is, compiled) by the database for reuse, and the developer is concatenating a dynamic value to the statement, the entire benefit of preparing (compiling) that statement is immediately lost, because the RDBMS has to re-compile the statement every single time it’s sent along the wire. Please, don’t do this.

Of course, there may be reasons not to use prepared statements all the time. For one, prepared statements in MySQL versions prior to 5.1 can no longer be managed by the query cache which may impact performance (High Performance MySQL, 2nd ed., p229). DBMSs that don’t support prepared statements can, in PDO at least, can have them emulated by the PDO driver at the cost of some pre-processing performance, and using older PHP functions like the popular-but-now-deprecated mysql_* ones just outright don’t support anything but basic queries (they also don’t use the binary interface, making them somewhat slower). If you’re using only a single query with absolutely no intention of reusing it, prepared statements may incur some overhead since the query must be compiled. Furthermore, for MySQL at least, if you’re not using stored procedures, the database has no way to share compiled prepared statements among multiple connections. Yet, while a prepared statement is no substitute for caution–particularly with programmatically-generated queries–it is a useful tool in the developer’s arsenal to protect against attacks like SQL injection. Plus, if you make it a habit to use PDO (you should), not only do you get emulated prepared statements for databases that don’t support them, you also get to use the modern MySQL APIs under the hood and some consistency, which says a lot in the PHP world.

Tangentially, this is also why it boggles my mind that many sites (banks, news agencies, airlines, and even some game companies) limit what characters the user can enter for their password, and how so many companies with an online presence often have draconian limits of less than 16 characters, inclusive. Seriously: If you’re correctly storing a secure hash of the password (HMAC, bcrypt, scrypt, or at least SHA256 or similar), you don’t need to store the password directly, nor does it matter if the password is 5 or 500 characters. It’s going to be comprised of a fixed length of some limited set of ASCII characters representing hexadecimal numbers which can be stored without much fuss. The 1990s were over two decades away. I think it’s time we stopped writing code like Y2K is still a viable problem.

Also, let’s start using prepared statements a little more often.