PHPDeveloper: PHP News, Views and Community

	News Feed
	Jobs Feed

Sections

Tutorials

Books

Events

Talks

Jobs

Recent Jobs

PHPMaster.com: Zend Job Queue

Rob Diana's Blog: Web And Scripting Programming Language Job Trends - August 2011

Job Posting: Options Consulting Solutions Seeks PHP Developer Team Lead (Toronto, Canada)

Job Posting: FireScope Seeks Experienced Web Application Developer/Manager (Dallas, TX)

Kevin Schroeder's Blog: Added (PHP 5.3) job queuing to my WordPress instance

Job Posting: Jacob Group (Recruiter) Seeks Director of Software Development (Lacrosse, WI)

Job Posting: Skillshare Seeks Senior Frontend Engineer (New York, NY)

Job Posting: SoftLayer Seeks Software Engineer - Interface Development (Dallas, Tx)

Job Posting: Company Confidential Seeks Senior PHP Developer (Montreal, Quebec, Canada)

Job Posting: SoftLayer Seeks Software Engineer - Systems Development (Dallas, Tx)

News Archive

Cloud Out Loud Podcast: Interview with Ed Finkler

Reddit.com: What non-PHP stuff should a PHP developer know?

Community News: The Changelog Podcast

Leaseweb Labs Blog: Migration to Symfony2 continued

SitePoint.com: How to Create Your Own Random Number Generator in PHP

Refulz.com: The __toString() Method - Objects as Strings

PHPMaster.com: Using Traits in PHP 5.4

Site News: Blast from the Past - One Year Ago in PHP

Ibuildings techPortal: DPC Radio: Implementing OAuth

feed this:

Greebo.net:
Converting your PHP app to MySQLi prepared statements

by Chris Cornutt January 04, 2010 @ 13:46:13

From Greebo.net there's a recent post that looks at converting the current database functionality in your application over to the MySQLi functionality and making use of prepared statements as a later of protection for your queries.

Okay, you've got like a zillion SQL queries in your PHP app, and probably 95% of them have a WHERE clause, and you need to make them safe so people will still download and use your app. Because if you don't fix your injection issues, I will rain fire on your ass. These are the steps you need to take to convert to prepared statements.

The guide is two steps you'll need to make the transition - "PHP 4 is dead. Upgrade to PHP 5" and "make sure your hoster has MySQLi". The major part of the update is under the first point where he gives code examples and suggestions to follow about how to "harden" your environment to prevent and issues that lax SQL methods might have caused and a simple example of a move from MySQL to MySQLi.

0 comments voice your opinion now!
mysql mysqli convert prepared statements tutorial

Wez Furlong's Blog:
Using PDO MySQL?

by Chris Cornutt April 24, 2006 @ 07:03:01

In this new post from Wez Furlong, he looks ar some of the things that the native MySQL client library does (the silly things) and recommends an alternative with the PDO libraries.

I've recently discovered a few things about how the mysql client library does things that seem a bit silly to me, so I'm going to share them with you.

Among the things he mentions functionality (dealing with prepared statements) like "native prepared statements cannot take advantage of the query cache" and "native prepared statements cannot execute certain types of queries". The gives a simple line of code to make the database functionality (in PHP 5.1.3 and later) use the native PDO query parser to be loaded versus the one for the standard MySQL client libraries.

0 comments voice your opinion now!
mysql pdo prepared statements client library mysql pdo prepared statements client library

Ilia Alshanetsky's Blog:
mysql_real_escape_string() versus Prepared Statements

by Chris Cornutt January 23, 2006 @ 06:58:18

Ilia Alshanetsky also has hos own look today at the "mysql_real_escape_string versus addslashes" debate that's going on, looking more at why there's even an issue here (with addslashes).

Chris has written a compelling piece about how the use of addslashes() for string escaping in MySQL queries can lead to SQL injection through the abuse of multibyte character sets. In his example he relies on addslashes() to convert an invalid multibyte sequence into a valid one, which also has an embedded ' that is not escaped. And in an ironic twist, the function intended to protect against SQL injection is used to actually trigger it.

The problem demonstrated, actually goes a bit further, which even makes the prescribed escaping mechanism, mysql_real_escape_string() prone to the same kind of issues affecting addslashes().

He shows code examples, creating a simple SQL injection that uses mysql_real_escape_string to cause the same issue - all based around the default characterset that the MySQL server uses. His suggested solution? Prepared statements... (like what things such as PDO offer)

1 comment voice your opinion now!
addslashes mysql_real_escape_string debate prepared statements addslashes mysql_real_escape_string debate prepared statements

Community Events

Don't see your event here?
Let us know!

All content copyright, 2012 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework