FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Prep. Statements only in mysql-i?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Prep. Statements only in mysql-i? [message #177658 is a reply to message #177656] Thu, 12 April 2012 13:21 Go to previous message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
Senior Member
On 4/12/2012 8:17 AM, Alexandra Herzog wrote:
>> Just out of curiosity, why? Does it not work as it is? I've always
>> been of the philosophy "don't fix what's not broke".
>
> Well, I found out that "prepared statements" offer a good way to protect against SQL Injection Attacks. Since the best hackers are those, who do not let you realize that you've been hacked, I figured it's better to use them.
>
> However, prepared statements seem to be unavailable in the old mysql-object. I will have to use mysql-i or PDO. Those are not supported in PHP4, so I had to upgrade to PHP5 first.
> However, it was time to upgrade anyway.
>
> Alex

So does properly validating your data (which you should do anyway).
Things like ensuring integer fields are integers, for instance. And any
strings you use need to be processed by mysql_real_escape_string().

Prepared statements are only one way to protect against SQL injection.
But they don't replace good programming practices, and if you use good
practices you won't be open to SQL injection whether you use prepared
statements or other ways.

I'm not saying that prepared statements are bad. But too often I've
seen (even in this newsgroup) statements like the one you referenced
from people who don't understand good programming practices.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Clean PDO-MySQL Statement
Next Topic: Getting date URLs and prev/next links working in Codeigniter
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sat Nov 23 01:24:16 GMT 2024

Total time taken to generate the page: 0.05689 seconds