FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » PHP sql entry is a godaweful mess
Show: Today's Messages :: Polls :: Message Navigator
Switch to threaded view of this topic Create a new topic Submit Reply
PHP sql entry is a godaweful mess [message #184072] Wed, 04 December 2013 11:35 Go to next message
<bored is currently offline  <bored
Messages: 1
Registered: December 2013
Karma: 0
Junior Member
I've just decided to update some code so updated myself with the docs
for mySQL entry cleaning and frankly I am totally confused.

Can someone point to a very clear and unambigous instruction
as to how to safely enter data into a mysql database?
Because I doubt thats even possible with PHP.

We have to contend with stripslashes, magic_quotes, magic_quotes_sybase
mysql_escape_string, mysql_real_escape_string and more...

and now they say mysql_real_escape_string is deprecated in favour
of a mysqli requirement. And dont get mne started on idiotic OOP with
PHP.

Is there a full time team of monkeys sitting at keyboards
ensuring sql entry will never be secure?

As for mysqli and its unnecessarily obtuse syntax... well I'll be
looking for alternatives.

PHP is a set of script language bodges pretending to be a programming
language - its time it was cleaned up or people moved on or
data security can never happen.

Its become a dangerous joke.
Re: PHP sql entry is a godaweful mess [message #184073 is a reply to message #184072] Wed, 04 December 2013 12:37 Go to previous messageGo to next message
Tim Streater is currently offline  Tim Streater
Messages: 328
Registered: September 2010
Karma: 0
Senior Member
In article <MPG(dot)2d0923e0848f8339896b9(at)news(dot)virginmedia(dot)com>,
<bored(at)now(dot)com> wrote:

> PHP is a set of script language bodges pretending to be a programming
> language - its time it was cleaned up or people moved on or
> data security can never happen.
>
> Its become a dangerous joke.

Ha ha ha ha ha. Now piss off.

--
Tim

"That excessive bail ought not to be required, nor excessive fines imposed,
nor cruel and unusual punishments inflicted" -- Bill of Rights 1689
Re: PHP sql entry is a godaweful mess [message #184077 is a reply to message #184072] Wed, 04 December 2013 13:52 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 12/4/2013 6:35 AM, bored(at)now(dot)com wrote:
>
>
> I've just decided to update some code so updated myself with the docs
> for mySQL entry cleaning and frankly I am totally confused.
>
> Can someone point to a very clear and unambigous instruction
> as to how to safely enter data into a mysql database?
> Because I doubt thats even possible with PHP.
>
> We have to contend with stripslashes, magic_quotes, magic_quotes_sybase
> mysql_escape_string, mysql_real_escape_string and more...
>
> and now they say mysql_real_escape_string is deprecated in favour
> of a mysqli requirement. And dont get mne started on idiotic OOP with
> PHP.
>
> Is there a full time team of monkeys sitting at keyboards
> ensuring sql entry will never be secure?
>
> As for mysqli and its unnecessarily obtuse syntax... well I'll be
> looking for alternatives.
>
> PHP is a set of script language bodges pretending to be a programming
> language - its time it was cleaned up or people moved on or
> data security can never happen.
>
> Its become a dangerous joke.
>
>
>
>
>


PHP is an OK language. While I also have some issues with it, I don't
have anywhere near the disdain you seem to have.

stripslashes() was a (very) old way of handling things; magic quotes
similar. Fortunately, the PTB have fixed those problems; magic quotes
are no longer recommended and stripslashes() pretty much gone by the
wayside. mysql_real_escape_string() is much better; it has the added
advantage of being charset sensitive and will properly escape strings in
non-latin1 charsets.

Getting rid of the mysql_xxx extension was a stupid idea, IMHO. Some
people have claimed it's because they MySQL 'C' functions they wrap
around have been deprecated, but there is no indication of that in the
documentation. Maybe they just didn't want to maintain two sets of code
for the same database.

I do think the mysqli_xxx() functions are an improvement over the
mysql_xxx functions. It does give you the *option* of using OO
techniques (which I generally prefer), but they also have non-OO
equivalents. Typically it's only a matter of changing
mysql_xxx(parameters) to mysqli_xxx($link, parameters);

And safely inserting into a MySQL database is also very easy and similar
to any database. You need to validate all values, including type and
actual value (which needs to be done for ANY database). Process ALL
string variables (including things such as the WHERE clause) with
mysqli_real_escape_string(). Alternatively, you can use prepared
statements and bind the values (in mysqli).

PHP, like any language, has matured and changed. They all have had
changes as they have grown. While I think early PHP was pretty much
crap, I could say the same thing about C, for instance. And don't get
me started on FORTRAN II from the 60's!

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
Re: PHP sql entry is a godaweful mess [message #184081 is a reply to message #184072] Wed, 04 December 2013 16:15 Go to previous messageGo to next message
Arno Welzel is currently offline  Arno Welzel
Messages: 317
Registered: October 2011
Karma: 0
Senior Member
Am 04.12.2013 12:35, schrieb bored(at)now(dot)com:

> I've just decided to update some code so updated myself with the docs
> for mySQL entry cleaning and frankly I am totally confused.
>
> Can someone point to a very clear and unambigous instruction
> as to how to safely enter data into a mysql database?
> Because I doubt thats even possible with PHP.

It is - just do NOT use mysql but mysqli or PDO.

> We have to contend with stripslashes, magic_quotes, magic_quotes_sybase
> mysql_escape_string, mysql_real_escape_string and more...

No - you don't have to.

See:

<http://php.net/manual/en/class.mysqli.php>
<http://www.php.net/manual/en/mysqli.prepare.php>
<http://php.net/manual/en/book.pdo.php>
<http://php.net/manual/en/pdo.prepare.php>

> As for mysqli and its unnecessarily obtuse syntax... well I'll be
> looking for alternatives.

Obtuse syntax? Why?

Maybe you got confused by the fact, that mysqli comes in two flavors:
Procedural - to make it easier to migrate existing code from mysql - and
object oriented.

See <http://php.net/manual/en/mysqli.quickstart.dual-interface.php>



--
Arno Welzel
http://arnowelzel.de
http://de-rec-fahrrad.de
Re: PHP sql entry is a godaweful mess [message #184099 is a reply to message #184077] Thu, 05 December 2013 11:13 Go to previous messageGo to next message
bill is currently offline  bill
Messages: 310
Registered: October 2010
Karma: 0
Senior Member
On 12/4/2013 8:52 AM, Jerry Stuckle wrote:
> While I think early PHP was pretty much crap, I could say the
> same thing about C, for instance. And don't get me started on
> FORTRAN II from the 60's!

and RPG
and COBOL

bill
Re: PHP sql entry is a godaweful mess [OT] [message #184102 is a reply to message #184099] Thu, 05 December 2013 13:13 Go to previous messageGo to next message
adrian is currently offline  adrian
Messages: 27
Registered: December 2012
Karma: 0
Junior Member
bill <william(at)TechServSys(dot)com> wrote:

> On 12/4/2013 8:52 AM, Jerry Stuckle wrote:
>> While I think early PHP was pretty much crap, I could say the
>> same thing about C, for instance. And don't get me started on
>> FORTRAN II from the 60's!
>
> and RPG
> and COBOL

ALGOLW was good.


--
~ Adrian Tuddenham ~
(Remove the ".invalid"s and add ".co.uk" to reply)
www.poppyrecords.co.uk
Re: PHP sql entry is a godaweful mess [message #184537 is a reply to message #184072] Tue, 07 January 2014 04:17 Go to previous message
John Smith is currently offline  John Smith
Messages: 7
Registered: January 2014
Karma: 0
Junior Member
On Wed, 4 Dec 2013 11:35:40 -0000, <bored(at)now(dot)com> wrote:

>
>
> I've just decided to update some code so updated myself with the docs
> for mySQL entry cleaning and frankly I am totally confused.
>
> Can someone point to a very clear and unambigous instruction
> as to how to safely enter data into a mysql database?

Please use mysqli package with bound variables. Please refer to the
manual.

> Because I doubt thats even possible with PHP.

It is absolutely possible. All the sql injection and related are
solely the programmer(s) fault.

> As for mysqli and its unnecessarily obtuse syntax... well I'll be
> looking for alternatives.

What is exactly obtuse there?

John
  Switch to threaded view of this topic Create a new topic Submit Reply
Previous Topic: Loop through array, change headings
Next Topic: foreach problem part two
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sun Nov 24 02:16:17 GMT 2024

Total time taken to generate the page: 0.03642 seconds