| Re: Prep. Statements only in mysql-i? [message #177658 is a reply to message #177656] |
Thu, 12 April 2012 13:21  |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 4/12/2012 8:17 AM, Alexandra Herzog wrote:
>> Just out of curiosity, why? Does it not work as it is? I've always
>> been of the philosophy "don't fix what's not broke".
>
> Well, I found out that "prepared statements" offer a good way to protect against SQL Injection Attacks. Since the best hackers are those, who do not let you realize that you've been hacked, I figured it's better to use them.
>
> However, prepared statements seem to be unavailable in the old mysql-object. I will have to use mysql-i or PDO. Those are not supported in PHP4, so I had to upgrade to PHP5 first.
> However, it was time to upgrade anyway.
>
> Alex
So does properly validating your data (which you should do anyway).
Things like ensuring integer fields are integers, for instance. And any
strings you use need to be processed by mysql_real_escape_string().
Prepared statements are only one way to protect against SQL injection.
But they don't replace good programming practices, and if you use good
practices you won't be open to SQL injection whether you use prepared
statements or other ways.
I'm not saying that prepared statements are bad. But too often I've
seen (even in this newsgroup) statements like the one you referenced
from people who don't understand good programming practices.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]