| Prep. Statements only in mysql-i? [message #177640] |
Wed, 11 April 2012 22:42  |
Alexandra Herzog
Messages: 4
Registered: April 2012
Karma: 0
|
Junior Member |
|
|
Hi everyone,
I would like to change my homepage (php5, mysql) to use 'prepared
statements'.
Should I use the mysql-i object? Or do 'prepared statements' also exist in
the normal, plain old mysql object, which I know from php4 ?
PDO seems to offer only database independance, but my hoster only offers
mysql and I don't intend to change that in the future (it's just a small
homepage).
Thank you for any hints in the right direction ;)
Alex
|
|
|
|
| Re: Prep. Statements only in mysql-i? [message #177641 is a reply to message #177640] |
Wed, 11 April 2012 23:16  |
Thomas 'PointedEars'
Messages: 701
Registered: October 2010
Karma: 0
|
Senior Member |
|
|
Alexandra Herzog wrote:
> I would like to change my homepage (php5, mysql) to use 'prepared
> statements'.
>
> Should I use the mysql-i object?
Yes, unless PDO is or can be made available.
> Or do 'prepared statements' also exist in the normal, plain old mysql
> object, which I know from php4 ?
No. RTFM: <http://php.net/manual/en/set.mysqlinfo.php>
> PDO seems to offer only database independance,
PDO offers much more, including an convenient API for prepared statements
and transactions. RTFM: <http://php.net/manual/en/intro.pdo.php>
Between mysqli and PDO, I have decided in favor of PDO primarily because on
top of several database drivers, PDOStatement::execute() allows to pass
parameters as an associative array without binding values to variables
first. Therefore, I have found PDO's to be a very suitable, sufficiently
flexible API for use in MVC-based frameworks, including mine. AFAIK, Zend
Framework uses PDO by default, too.
> but my hoster only offers mysql
Tough luck.
> and I don't intend to change that in the future (it's just a small
> homepage).
You will have to make a change if you want to use prepared statements and
thereby gain a minimum of Web application security.
BTW, there is also de.comp.lang.php, which (also?) has a FAQ.
PointedEars
--
Prototype.js was written by people who don't know javascript for people
who don't know javascript. People who don't know javascript are not
the best source of advice on designing systems that use javascript.
-- Richard Cornford, cljs, <f806at$ail$1$8300dec7(at)news(dot)demon(dot)co(dot)uk>
|
|
|
|
| Re: Prep. Statements only in mysql-i? [message #177647 is a reply to message #177641] |
Thu, 12 April 2012 09:29 |
Alexandra Herzog
Messages: 4
Registered: April 2012
Karma: 0
|
Junior Member |
|
|
>> Should I use the mysql-i object?
> Yes, unless PDO is or can be made available.
Thank you. I just wanted to check which ways exist to make use of prepared statements.
It seems there is only mysql-i and PDO, when I want to use prepared statements.
> PDO offers much more, including an convenient API for prepared statements
> and transactions. RTFM: <http://php.net/manual/en/intro.pdo.php>
Good, I'll try that :D
>> and I don't intend to change that in the future (it's just a small
>> homepage).
> You will have to make a change if you want to use prepared statements and
> thereby gain a minimum of Web application security.
Okay, I meant "I don't intend to change my hoster or database in the near future". Obviously the point of the whole thread is to facilitate the change that I am about to make to my scripts..
> BTW, there is also de.comp.lang.php, which (also?) has a FAQ.
Got it. Soooo, you're just guessing by my name that I am german?? Or do I leave any other indication?
Thank you,
Alex
|
|
|
|
| Re: Prep. Statements only in mysql-i? [message #177650 is a reply to message #177640] |
Thu, 12 April 2012 10:33 |
M. Strobel
Messages: 386
Registered: December 2011
Karma: 0
|
Senior Member |
|
|
Am 12.04.2012 00:42, schrieb Alexandra Herzog:
> but my hoster only offers mysql
It makes me angry to hear this. The mysql drivers were outdated long before the
makers stopped supporting it in 2006.
/Str.
|
|
|
|
| Re: Prep. Statements only in mysql-i? [message #177652 is a reply to message #177650] |
Thu, 12 April 2012 11:51 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 4/12/2012 6:33 AM, M. Strobel wrote:
> Am 12.04.2012 00:42, schrieb Alexandra Herzog:
>
>> but my hoster only offers mysql
>
> It makes me angry to hear this. The mysql drivers were outdated long before the
> makers stopped supporting it in 2006.
>
> /Str.
MySQL not supported? Who says? It's the most commonly used database on
the web. PostgreSQL and others are way behind in popularity (although I
won't get into an argument as to which is "better").
Or if you mean the mysql interface vs. mysqli, who says it isn't supported?
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: Prep. Statements only in mysql-i? [message #177653 is a reply to message #177640] |
Thu, 12 April 2012 11:53 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 4/11/2012 6:42 PM, Alexandra Herzog wrote:
> Hi everyone,
>
> I would like to change my homepage (php5, mysql) to use 'prepared
> statements'.
>
> Should I use the mysql-i object? Or do 'prepared statements' also exist in
> the normal, plain old mysql object, which I know from php4 ?
> PDO seems to offer only database independance, but my hoster only offers
> mysql and I don't intend to change that in the future (it's just a small
> homepage).
>
> Thank you for any hints in the right direction ;)
> Alex
Hi, Alex,
Just out of curiosity, why? Does it not work as it is? I've always
been of the philosophy "don't fix what's not broke".
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: Prep. Statements only in mysql-i? [message #177656 is a reply to message #177653] |
Thu, 12 April 2012 12:17 |
Alexandra Herzog
Messages: 4
Registered: April 2012
Karma: 0
|
Junior Member |
|
|
> Just out of curiosity, why? Does it not work as it is? I've always
> been of the philosophy "don't fix what's not broke".
Well, I found out that "prepared statements" offer a good way to protect against SQL Injection Attacks. Since the best hackers are those, who do not let you realize that you've been hacked, I figured it's better to use them.
However, prepared statements seem to be unavailable in the old mysql-object. I will have to use mysql-i or PDO. Those are not supported in PHP4, so I had to upgrade to PHP5 first.
However, it was time to upgrade anyway.
Alex
|
|
|
|
| Re: Prep. Statements only in mysql-i? [message #177658 is a reply to message #177656] |
Thu, 12 April 2012 13:21 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 4/12/2012 8:17 AM, Alexandra Herzog wrote:
>> Just out of curiosity, why? Does it not work as it is? I've always
>> been of the philosophy "don't fix what's not broke".
>
> Well, I found out that "prepared statements" offer a good way to protect against SQL Injection Attacks. Since the best hackers are those, who do not let you realize that you've been hacked, I figured it's better to use them.
>
> However, prepared statements seem to be unavailable in the old mysql-object. I will have to use mysql-i or PDO. Those are not supported in PHP4, so I had to upgrade to PHP5 first.
> However, it was time to upgrade anyway.
>
> Alex
So does properly validating your data (which you should do anyway).
Things like ensuring integer fields are integers, for instance. And any
strings you use need to be processed by mysql_real_escape_string().
Prepared statements are only one way to protect against SQL injection.
But they don't replace good programming practices, and if you use good
practices you won't be open to SQL injection whether you use prepared
statements or other ways.
I'm not saying that prepared statements are bad. But too often I've
seen (even in this newsgroup) statements like the one you referenced
from people who don't understand good programming practices.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
|
|
| Re: Prep. Statements only in mysql-i? [message #177661 is a reply to message #177652] |
Thu, 12 April 2012 15:22 |
M. Strobel
Messages: 386
Registered: December 2011
Karma: 0
|
Senior Member |
|
|
Am 12.04.2012 13:51, schrieb Jerry Stuckle:
> On 4/12/2012 6:33 AM, M. Strobel wrote:
>> Am 12.04.2012 00:42, schrieb Alexandra Herzog:
>>
>>> but my hoster only offers mysql
>>
>> It makes me angry to hear this. The mysql drivers were outdated long before the
>> makers stopped supporting it in 2006.
>>
>> /Str.
>
> MySQL not supported? Who says? It's the most commonly used database on the web.
> PostgreSQL and others are way behind in popularity (although I won't get into an
> argument as to which is "better").
>
> Or if you mean the mysql interface vs. mysqli, who says it isn't supported?
mysql interface vs. mysqli. I know the first is old and slower, and the support info
I just read at http://www.radicore.org/radicore-for-php.php
/Str.
|
|
|
|
| Re: Prep. Statements only in mysql-i? [message #177667 is a reply to message #177661] |
Thu, 12 April 2012 17:16 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 4/12/2012 11:22 AM, M. Strobel wrote:
> Am 12.04.2012 13:51, schrieb Jerry Stuckle:
>> On 4/12/2012 6:33 AM, M. Strobel wrote:
>>> Am 12.04.2012 00:42, schrieb Alexandra Herzog:
>>>
>>>> but my hoster only offers mysql
>>>
>>> It makes me angry to hear this. The mysql drivers were outdated long before the
>>> makers stopped supporting it in 2006.
>>>
>>> /Str.
>>
>> MySQL not supported? Who says? It's the most commonly used database on the web.
>> PostgreSQL and others are way behind in popularity (although I won't get into an
>> argument as to which is "better").
>>
>> Or if you mean the mysql interface vs. mysqli, who says it isn't supported?
>
> mysql interface vs. mysqli. I know the first is old and slower, and the support info
> I just read at http://www.radicore.org/radicore-for-php.php
>
> /Str.
>
And how do you "know" that? Both end up as calls to mysql_xxxx C
functions. The mysql_xxx calls in PHP are just wrappers to the C
functions. The mysqli_xxx calls have to do a lot more work before
calling the appropriate mysql_xxx C functions.
If the mysqli_xxx calls have to do more work before calling the same
functions, how can they be faster?
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: Prep. Statements only in mysql-i? [message #177669 is a reply to message #177667] |
Thu, 12 April 2012 17:28 |
M. Strobel
Messages: 386
Registered: December 2011
Karma: 0
|
Senior Member |
|
|
Am 12.04.2012 19:16, schrieb Jerry Stuckle:
> On 4/12/2012 11:22 AM, M. Strobel wrote:
>> Am 12.04.2012 13:51, schrieb Jerry Stuckle:
>>> On 4/12/2012 6:33 AM, M. Strobel wrote:
>>>> Am 12.04.2012 00:42, schrieb Alexandra Herzog:
>>>>
>>>> > but my hoster only offers mysql
>>>>
>>>> It makes me angry to hear this. The mysql drivers were outdated long before the
>>>> makers stopped supporting it in 2006.
>>>>
>>>> /Str.
>>>
>>> MySQL not supported? Who says? It's the most commonly used database on the web.
>>> PostgreSQL and others are way behind in popularity (although I won't get into an
>>> argument as to which is "better").
>>>
>>> Or if you mean the mysql interface vs. mysqli, who says it isn't supported?
>>
>> mysql interface vs. mysqli. I know the first is old and slower, and the support info
>> I just read at http://www.radicore.org/radicore-for-php.php
>>
>> /Str.
>>
>
> And how do you "know" that? Both end up as calls to mysql_xxxx C functions. The
> mysql_xxx calls in PHP are just wrappers to the C functions. The mysqli_xxx calls
> have to do a lot more work before calling the appropriate mysql_xxx C functions.
>
> If the mysqli_xxx calls have to do more work before calling the same functions, how
> can they be faster?
I admit my arguments are a bit sloppy, one could go more into depth.
But true is that mysqli is strongly recommended for MySQL versions 4.1.3 or later,
see http://ca3.php.net/manual/en/mysqli.overview.php
And I can't understand why the mysql interface is still advocated by some. Look at
the old mysql password format, ridiculous.
/Str.
|
|
|
|
| Re: Prep. Statements only in mysql-i? [message #177672 is a reply to message #177669] |
Thu, 12 April 2012 18:08 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 4/12/2012 1:28 PM, M. Strobel wrote:
> Am 12.04.2012 19:16, schrieb Jerry Stuckle:
>> On 4/12/2012 11:22 AM, M. Strobel wrote:
>>> Am 12.04.2012 13:51, schrieb Jerry Stuckle:
>>>> On 4/12/2012 6:33 AM, M. Strobel wrote:
>>>> > Am 12.04.2012 00:42, schrieb Alexandra Herzog:
>>>> >
>>>> >> but my hoster only offers mysql
>>>> >
>>>> > It makes me angry to hear this. The mysql drivers were outdated long before the
>>>> > makers stopped supporting it in 2006.
>>>> >
>>>> > /Str.
>>>>
>>>> MySQL not supported? Who says? It's the most commonly used database on the web.
>>>> PostgreSQL and others are way behind in popularity (although I won't get into an
>>>> argument as to which is "better").
>>>>
>>>> Or if you mean the mysql interface vs. mysqli, who says it isn't supported?
>>>
>>> mysql interface vs. mysqli. I know the first is old and slower, and the support info
>>> I just read at http://www.radicore.org/radicore-for-php.php
>>>
>>> /Str.
>>>
>>
>> And how do you "know" that? Both end up as calls to mysql_xxxx C functions. The
>> mysql_xxx calls in PHP are just wrappers to the C functions. The mysqli_xxx calls
>> have to do a lot more work before calling the appropriate mysql_xxx C functions.
>>
>> If the mysqli_xxx calls have to do more work before calling the same functions, how
>> can they be faster?
>
> I admit my arguments are a bit sloppy, one could go more into depth.
>
> But true is that mysqli is strongly recommended for MySQL versions 4.1.3 or later,
> see http://ca3.php.net/manual/en/mysqli.overview.php
>
> And I can't understand why the mysql interface is still advocated by some. Look at
> the old mysql password format, ridiculous.
>
> /Str.
>
The mysql interface has nothing to do with the old mysql password
format. Two entirely different things.
The fact is that mysql_xxx is faster and generally easier to use in a
procedural script. mysqli_xxx is slower, but easier to use in an OO format.
Both have advantages and disadvantages, and should be used as appropriate.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: Prep. Statements only in mysql-i? [message #177673 is a reply to message #177672] |
Thu, 12 April 2012 18:23 |
M. Strobel
Messages: 386
Registered: December 2011
Karma: 0
|
Senior Member |
|
|
Am 12.04.2012 20:08, schrieb Jerry Stuckle:
> On 4/12/2012 1:28 PM, M. Strobel wrote:
>> Am 12.04.2012 19:16, schrieb Jerry Stuckle:
>>> On 4/12/2012 11:22 AM, M. Strobel wrote:
>>>> Am 12.04.2012 13:51, schrieb Jerry Stuckle:
>>>> > On 4/12/2012 6:33 AM, M. Strobel wrote:
>>>> >> Am 12.04.2012 00:42, schrieb Alexandra Herzog:
>>>> >>
>>>> >>> but my hoster only offers mysql
>>>> >>
>>>> >> It makes me angry to hear this. The mysql drivers were outdated long before the
>>>> >> makers stopped supporting it in 2006.
>>>> >>
>>>> >> /Str.
>>>> >
>>>> > MySQL not supported? Who says? It's the most commonly used database on the web.
>>>> > PostgreSQL and others are way behind in popularity (although I won't get into an
>>>> > argument as to which is "better").
>>>> >
>>>> > Or if you mean the mysql interface vs. mysqli, who says it isn't supported?
>>>>
>>>> mysql interface vs. mysqli. I know the first is old and slower, and the support info
>>>> I just read at http://www.radicore.org/radicore-for-php.php
>>>>
>>>> /Str.
>>>>
>>>
>>> And how do you "know" that? Both end up as calls to mysql_xxxx C functions. The
>>> mysql_xxx calls in PHP are just wrappers to the C functions. The mysqli_xxx calls
>>> have to do a lot more work before calling the appropriate mysql_xxx C functions.
>>>
>>> If the mysqli_xxx calls have to do more work before calling the same functions, how
>>> can they be faster?
>>
>> I admit my arguments are a bit sloppy, one could go more into depth.
>>
>> But true is that mysqli is strongly recommended for MySQL versions 4.1.3 or later,
>> see http://ca3.php.net/manual/en/mysqli.overview.php
>>
>> And I can't understand why the mysql interface is still advocated by some. Look at
>> the old mysql password format, ridiculous.
>>
>> /Str.
>>
>
> The mysql interface has nothing to do with the old mysql password format. Two
> entirely different things.
I still remember something I had to debug in 2006, see
http://dev.mysql.com/doc/refman/5.1/en/password-hashing.html at
"what you should do if you upgrade your server but need to maintain backward
compatibility with pre-4.1 clients"
I won't write an article on this now.
/Str.
|
|
|
|
| Re: Prep. Statements only in mysql-i? [message #177674 is a reply to message #177669] |
Thu, 12 April 2012 18:29 |
Peter H. Coffin
Messages: 245
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On Thu, 12 Apr 2012 19:28:13 +0200, M. Strobel wrote:
> But true is that mysqli is strongly recommended for MySQL versions
> 4.1.3 or later, see http://ca3.php.net/manual/en/mysqli.overview.php
>
> And I can't understand why the mysql interface is still advocated by
> some. Look at the old mysql password format, ridiculous.
That was an engine change. Completely separate issue and completely
separate from the interface. Don't muddy things needlessly.
--
How about an Australian-language version? 'Your program just attempted
an illegal instruction. No worries, mate.'
-- Paul Tomblin
|
|
|
|
| Re: Prep. Statements only in mysql-i? [message #177675 is a reply to message #177673] |
Thu, 12 April 2012 20:34 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 4/12/2012 2:23 PM, M. Strobel wrote:
> Am 12.04.2012 20:08, schrieb Jerry Stuckle:
>> On 4/12/2012 1:28 PM, M. Strobel wrote:
>>> Am 12.04.2012 19:16, schrieb Jerry Stuckle:
>>>> On 4/12/2012 11:22 AM, M. Strobel wrote:
>>>> > Am 12.04.2012 13:51, schrieb Jerry Stuckle:
>>>> >> On 4/12/2012 6:33 AM, M. Strobel wrote:
>>>> >>> Am 12.04.2012 00:42, schrieb Alexandra Herzog:
>>>> >>>
>>>> >>>> but my hoster only offers mysql
>>>> >>>
>>>> >>> It makes me angry to hear this. The mysql drivers were outdated long before the
>>>> >>> makers stopped supporting it in 2006.
>>>> >>>
>>>> >>> /Str.
>>>> >>
>>>> >> MySQL not supported? Who says? It's the most commonly used database on the web.
>>>> >> PostgreSQL and others are way behind in popularity (although I won't get into an
>>>> >> argument as to which is "better").
>>>> >>
>>>> >> Or if you mean the mysql interface vs. mysqli, who says it isn't supported?
>>>> >
>>>> > mysql interface vs. mysqli. I know the first is old and slower, and the support info
>>>> > I just read at http://www.radicore.org/radicore-for-php.php
>>>> >
>>>> > /Str.
>>>> >
>>>>
>>>> And how do you "know" that? Both end up as calls to mysql_xxxx C functions. The
>>>> mysql_xxx calls in PHP are just wrappers to the C functions. The mysqli_xxx calls
>>>> have to do a lot more work before calling the appropriate mysql_xxx C functions.
>>>>
>>>> If the mysqli_xxx calls have to do more work before calling the same functions, how
>>>> can they be faster?
>>>
>>> I admit my arguments are a bit sloppy, one could go more into depth.
>>>
>>> But true is that mysqli is strongly recommended for MySQL versions 4.1.3 or later,
>>> see http://ca3.php.net/manual/en/mysqli.overview.php
>>>
>>> And I can't understand why the mysql interface is still advocated by some. Look at
>>> the old mysql password format, ridiculous.
>>>
>>> /Str.
>>>
>>
>> The mysql interface has nothing to do with the old mysql password format. Two
>> entirely different things.
>
> I still remember something I had to debug in 2006, see
> http://dev.mysql.com/doc/refman/5.1/en/password-hashing.html at
> "what you should do if you upgrade your server but need to maintain backward
> compatibility with pre-4.1 clients"
>
> I won't write an article on this now.
>
> /Str.
Which was only a problem if you used pre-4.1 clients on 4.1 or later
servers and did not use the --old_passwords option.
It had absolutely nothing to do with the mysql_xxx functions.
But if you were trying to do this with mysqli_xxx, those function calls
would fail with the same error.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: Prep. Statements only in mysql-i? [message #177678 is a reply to message #177652] |
Fri, 13 April 2012 08:06 |
Adam Harvey
Messages: 25
Registered: September 2010
Karma: 0
|
Junior Member |
|
|
On Thu, 12 Apr 2012 07:51:38 -0400, Jerry Stuckle wrote:
> Or if you mean the mysql interface vs. mysqli, who says it isn't
> supported?
Not supported is a bit strong, since ext/mysql is still bundled with PHP,
but Sun/Oracle have been focusing on mysqli for the last few years, and
the current plan is to deprecate the mysql extension in the next PHP
minor/major release (most likely to be numbered 5.5) with a view to
removal in a subsequent release.
Those keeping a sharp eye on the mysql_connect() manual page will have
noticed a new note appear last week (there's an ongoing debate about how
prominent to have it, since it's currently fairly buried), which reads:
> Use of this extension is discouraged. Instead, the MySQLi or PDO_MySQL
> extension should be used. See also MySQL: choosing an API for more
> information.
> Alternatives to this function include:
> mysqli_connect()
> PDO::__construct()
So whilst ext/mysql may be supported for now, that's unlikely to continue
indefinitely.
Adam
|
|
|
|
| Re: Prep. Statements only in mysql-i? [message #177694 is a reply to message #177647] |
Sat, 14 April 2012 06:21 |
Thomas 'PointedEars'
Messages: 701
Registered: October 2010
Karma: 0
|
Senior Member |
|
|
Alexandra Herzog wrote:
> [Thomas 'PointedEars' Lahn wrote: ]
>> BTW, there is also de.comp.lang.php, which (also?) has a FAQ.
> Got it. Soooo, you're just guessing by my name that I am german?? Or do I
> leave any other indication?
I guessed by your e-mail address. However, with hindsight, the Message-ID
of your OP (<539265724355876611(dot)335360herzog(dot)alex-arcor(dot)de(at)individual(dot)de>),
word order and choice of words do indicate your native language, too. I am
German, so I can tell.
> Thank you
You're welcome.
Please leave in the attribution lines next time: <http://learn.to/quote>
PointedEars
--
> If you get a bunch of authors […] that state the same "best practices"
> in any programming language, then you can bet who is wrong or right...
Not with javascript. Nonsense propagates like wildfire in this field.
-- Richard Cornford, comp.lang.javascript, 2011-11-14
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]