next »

[DangerMouse]

Hi all,

Any thoughts on the PHP standard mysql api, versus the OO Mysqli version? I've noted that the original is used predominantly, is this because of lack of PHP5 uptake or for other reasons I'm unaware of?

I've been looking into SQL injection prevention recently and came across "prepared statements" - does anyone have any experience of these? Particularly interms of how effective they are as a security measure and how much of a performance hit you take as a result?

Thoughts?

DM

[perkiset]

There's lots of discussion that the MySQLi extensions offer more functionality than the older stock MySQL functions... I've got a lot of code wrapped around the old ones and have not had any need for some of the newer functionality so I've not even tried them yet.

[DangerMouse]

To be honest I only use the most basic of functionality so can't really see I need the features, although an OOP approach might be nice.

What security measures do you normally take to prevent SQL Injection in your wrapper methods Perk? I'm totally paranoid about security stuff, XSS and SQLi seem so 'easy' from what i've seen, yet I dont know enough about char sets etc to work against it.

DM

[perkiset]

First off, I never pass an unfiltered URL to anything critical in my systems. Searches are one of the few where parameters passed to me are even used, and I'll strip everything non A-Z0-9 out of them before I even throw it at the database. Everything else, the user may send me an intention, but I create the SQL or exec or whatever on the back side myself rather than using what they send me.

Jason D handed me my lunch one day looking at one of my older sites - what a hoot! He took that bastard out for a drive and never came back. Not a database issue, an XSS issue, but still not good.

So this simple set of rules also plays nicely to anti-XSS strategies as well.