| Re: PS Re: GUI designer in html [message #182483 is a reply to message #182481] |
Wed, 07 August 2013 17:52   |
The Natural Philosoph
Messages: 993
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 07/08/13 17:51, Twayne wrote:
> On 2013-08-05 7:32 PM, The Natural Philosopher wrote:
> ...
>
>>>>
>>>> The MySQL server allows having statements that do return result
>>>> sets and
>>>> statements that do not return result sets in one multiple statement.
>>>> "
>>>>
>>>
>>> You need to scroll down to the middle of the page and read
>>> *Security considerations* and *Example #2*.
>>>
>>>
>> Furthermore the manual for mysql_query (as opposed to mysqli_query)
>> actually states:
>>
>> "*mysql_query()* sends a unique query *(multiple queries are not
>> supported)* to the currently active database on the server that's
>> associated with the specified /|link_identifier|/. "
>
> Yes, that's true. As a relative newcomer to PHP and the fact that
> MYSQL is being deprecated, as long as mysqli is available on my servers;
> wouldn't it be wise to go in the mysqlI direction?
>
> I've no intention of making multiple queries currently but ... I
> haven't used "i" yet either so I'm far from guru; I can only go by
> what I read and the MYSQL reference to mysqli for multiple queries,
> should the occasion arise. In fact, I've only ever experimented with
> MYSQL itself; though I am using it on one of my own sites.
>
> To me, it simply seems like the right way to go. Do you disagree
> with that?
>
>
>> so it would seem that this actual sql injection method is an urban myth.
>
> Well, I've seen a few exploits and how they're done, and I've used
> one of them, and I did successfully trash my database. So, not so sure
> that's 100% the case; perhaps it's just you're good at writing
> sanitize/validate code?
>
>>
>> From PHP anyway.
>>
>> ISTR I actually tried it once to see if my code was robust. I failed to
>> destroy the database or indeed any data, at all.
>>
>
> Interesting observations/experiment; thanks for the info. Don't you
> think it's actually due to your own code? Just curious, mostly.
>
I really don't know. I tried everything I could think of.
I suppose defensive coding is a habit you get into when writing code, as
are copious comments and the use of 'highest common factor' language
constructs, in case the poor sod who has to maintain it after you are
gone doesn't actually understand regexp or WHY. I know I never have :[-)
Its always taken less time to do it another way, than really learn the
syntax.
> Good post,
>
> Twayne`
>
>
--
Ineptocracy
(in-ep-toc’-ra-cy) – a system of government where the least capable to lead are elected by the least capable of producing, and where the members of society least likely to sustain themselves or succeed, are rewarded with goods and services paid for by the confiscated wealth of a diminishing number of producers.
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]