Re: PHP sql entry is a godaweful mess [message #184077 is a reply to message #184072] |
Wed, 04 December 2013 13:52 |
Jerry Stuckle
Messages: 2598 Registered: September 2010
Karma:
|
Senior Member |
|
|
On 12/4/2013 6:35 AM, bored(at)now(dot)com wrote:
>
>
> I've just decided to update some code so updated myself with the docs
> for mySQL entry cleaning and frankly I am totally confused.
>
> Can someone point to a very clear and unambigous instruction
> as to how to safely enter data into a mysql database?
> Because I doubt thats even possible with PHP.
>
> We have to contend with stripslashes, magic_quotes, magic_quotes_sybase
> mysql_escape_string, mysql_real_escape_string and more...
>
> and now they say mysql_real_escape_string is deprecated in favour
> of a mysqli requirement. And dont get mne started on idiotic OOP with
> PHP.
>
> Is there a full time team of monkeys sitting at keyboards
> ensuring sql entry will never be secure?
>
> As for mysqli and its unnecessarily obtuse syntax... well I'll be
> looking for alternatives.
>
> PHP is a set of script language bodges pretending to be a programming
> language - its time it was cleaned up or people moved on or
> data security can never happen.
>
> Its become a dangerous joke.
>
>
>
>
>
PHP is an OK language. While I also have some issues with it, I don't
have anywhere near the disdain you seem to have.
stripslashes() was a (very) old way of handling things; magic quotes
similar. Fortunately, the PTB have fixed those problems; magic quotes
are no longer recommended and stripslashes() pretty much gone by the
wayside. mysql_real_escape_string() is much better; it has the added
advantage of being charset sensitive and will properly escape strings in
non-latin1 charsets.
Getting rid of the mysql_xxx extension was a stupid idea, IMHO. Some
people have claimed it's because they MySQL 'C' functions they wrap
around have been deprecated, but there is no indication of that in the
documentation. Maybe they just didn't want to maintain two sets of code
for the same database.
I do think the mysqli_xxx() functions are an improvement over the
mysql_xxx functions. It does give you the *option* of using OO
techniques (which I generally prefer), but they also have non-OO
equivalents. Typically it's only a matter of changing
mysql_xxx(parameters) to mysqli_xxx($link, parameters);
And safely inserting into a MySQL database is also very easy and similar
to any database. You need to validate all values, including type and
actual value (which needs to be done for ANY database). Process ALL
string variables (including things such as the WHERE clause) with
mysqli_real_escape_string(). Alternatively, you can use prepared
statements and bind the values (in mysqli).
PHP, like any language, has matured and changed. They all have had
changes as they have grown. While I think early PHP was pretty much
crap, I could say the same thing about C, for instance. And don't get
me started on FORTRAN II from the 60's!
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|