| PHP sql entry is a godaweful mess [message #184072] |
Wed, 04 December 2013 11:35  |
<bored
Messages: 1
Registered: December 2013
Karma: 0
|
Junior Member |
|
|
I've just decided to update some code so updated myself with the docs
for mySQL entry cleaning and frankly I am totally confused.
Can someone point to a very clear and unambigous instruction
as to how to safely enter data into a mysql database?
Because I doubt thats even possible with PHP.
We have to contend with stripslashes, magic_quotes, magic_quotes_sybase
mysql_escape_string, mysql_real_escape_string and more...
and now they say mysql_real_escape_string is deprecated in favour
of a mysqli requirement. And dont get mne started on idiotic OOP with
PHP.
Is there a full time team of monkeys sitting at keyboards
ensuring sql entry will never be secure?
As for mysqli and its unnecessarily obtuse syntax... well I'll be
looking for alternatives.
PHP is a set of script language bodges pretending to be a programming
language - its time it was cleaned up or people moved on or
data security can never happen.
Its become a dangerous joke.
|
|
|
|
|
|
| Re: PHP sql entry is a godaweful mess [message #184077 is a reply to message #184072] |
Wed, 04 December 2013 13:52  |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 12/4/2013 6:35 AM, bored(at)now(dot)com wrote:
>
>
> I've just decided to update some code so updated myself with the docs
> for mySQL entry cleaning and frankly I am totally confused.
>
> Can someone point to a very clear and unambigous instruction
> as to how to safely enter data into a mysql database?
> Because I doubt thats even possible with PHP.
>
> We have to contend with stripslashes, magic_quotes, magic_quotes_sybase
> mysql_escape_string, mysql_real_escape_string and more...
>
> and now they say mysql_real_escape_string is deprecated in favour
> of a mysqli requirement. And dont get mne started on idiotic OOP with
> PHP.
>
> Is there a full time team of monkeys sitting at keyboards
> ensuring sql entry will never be secure?
>
> As for mysqli and its unnecessarily obtuse syntax... well I'll be
> looking for alternatives.
>
> PHP is a set of script language bodges pretending to be a programming
> language - its time it was cleaned up or people moved on or
> data security can never happen.
>
> Its become a dangerous joke.
>
>
>
>
>
PHP is an OK language. While I also have some issues with it, I don't
have anywhere near the disdain you seem to have.
stripslashes() was a (very) old way of handling things; magic quotes
similar. Fortunately, the PTB have fixed those problems; magic quotes
are no longer recommended and stripslashes() pretty much gone by the
wayside. mysql_real_escape_string() is much better; it has the added
advantage of being charset sensitive and will properly escape strings in
non-latin1 charsets.
Getting rid of the mysql_xxx extension was a stupid idea, IMHO. Some
people have claimed it's because they MySQL 'C' functions they wrap
around have been deprecated, but there is no indication of that in the
documentation. Maybe they just didn't want to maintain two sets of code
for the same database.
I do think the mysqli_xxx() functions are an improvement over the
mysql_xxx functions. It does give you the *option* of using OO
techniques (which I generally prefer), but they also have non-OO
equivalents. Typically it's only a matter of changing
mysql_xxx(parameters) to mysqli_xxx($link, parameters);
And safely inserting into a MySQL database is also very easy and similar
to any database. You need to validate all values, including type and
actual value (which needs to be done for ANY database). Process ALL
string variables (including things such as the WHERE clause) with
mysqli_real_escape_string(). Alternatively, you can use prepared
statements and bind the values (in mysqli).
PHP, like any language, has matured and changed. They all have had
changes as they have grown. While I think early PHP was pretty much
crap, I could say the same thing about C, for instance. And don't get
me started on FORTRAN II from the 60's!
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
|
|
| Re: PHP sql entry is a godaweful mess [message #184099 is a reply to message #184077] |
Thu, 05 December 2013 11:13 |
bill
Messages: 310
Registered: October 2010
Karma: 0
|
Senior Member |
|
|
On 12/4/2013 8:52 AM, Jerry Stuckle wrote:
> While I think early PHP was pretty much crap, I could say the
> same thing about C, for instance. And don't get me started on
> FORTRAN II from the 60's!
and RPG
and COBOL
bill
|
|
|
|
| Re: PHP sql entry is a godaweful mess [OT] [message #184102 is a reply to message #184099] |
Thu, 05 December 2013 13:13 |
adrian
Messages: 27
Registered: December 2012
Karma: 0
|
Junior Member |
|
|
bill <william(at)TechServSys(dot)com> wrote:
> On 12/4/2013 8:52 AM, Jerry Stuckle wrote:
>> While I think early PHP was pretty much crap, I could say the
>> same thing about C, for instance. And don't get me started on
>> FORTRAN II from the 60's!
>
> and RPG
> and COBOL
ALGOLW was good.
--
~ Adrian Tuddenham ~
(Remove the ".invalid"s and add ".co.uk" to reply)
www.poppyrecords.co.uk
|
|
|
|
| Re: PHP sql entry is a godaweful mess [message #184537 is a reply to message #184072] |
Tue, 07 January 2014 04:17 |
John Smith
Messages: 7
Registered: January 2014
Karma: 0
|
Junior Member |
|
|
On Wed, 4 Dec 2013 11:35:40 -0000, <bored(at)now(dot)com> wrote:
>
>
> I've just decided to update some code so updated myself with the docs
> for mySQL entry cleaning and frankly I am totally confused.
>
> Can someone point to a very clear and unambigous instruction
> as to how to safely enter data into a mysql database?
Please use mysqli package with bound variables. Please refer to the
manual.
> Because I doubt thats even possible with PHP.
It is absolutely possible. All the sql injection and related are
solely the programmer(s) fault.
> As for mysqli and its unnecessarily obtuse syntax... well I'll be
> looking for alternatives.
What is exactly obtuse there?
John
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]