The Cache: Technology Expert's Forum
 
*
Welcome, Guest. Please login or register. September 16, 2019, 11:36:08 PM

Login with username, password and session length


Pages: [1]
  Print  
Author Topic: PHP Mysql versus Mysqli extensions  (Read 3876 times)
DangerMouse
Expert
****
Offline Offline

Posts: 244



View Profile
« on: November 27, 2007, 10:54:44 AM »

Hi all,

Any thoughts on the PHP standard mysql api, versus the OO Mysqli version? I've noted that the original is used predominantly, is this because of lack of PHP5 uptake or for other reasons I'm unaware of?

I've been looking into SQL injection prevention recently and came across "prepared statements" - does anyone have any experience of these? Particularly interms of how effective they are as a security measure and how much of a performance hit you take as a result?

Thoughts?

DM
Logged
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #1 on: November 27, 2007, 12:23:31 PM »

There's lots of discussion that the MySQLi extensions offer more functionality than the older stock MySQL functions... I've got a lot of code wrapped around the old ones and have not had any need for some of the newer functionality so I've not even tried them yet.
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
DangerMouse
Expert
****
Offline Offline

Posts: 244



View Profile
« Reply #2 on: November 27, 2007, 01:15:29 PM »

To be honest I only use the most basic of functionality so can't really see I need the features, although an OOP approach might be nice.

What security measures do you normally take to prevent SQL Injection in your wrapper methods Perk? I'm totally paranoid about security stuff, XSS and SQLi seem so 'easy' from what i've seen, yet I dont know enough about char sets etc to work against it.

DM
Logged
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #3 on: November 27, 2007, 10:03:49 PM »

First off, I never pass an unfiltered URL to anything critical in my systems. Searches are one of the few where parameters passed to me are even used, and I'll strip everything non A-Z0-9 out of them before I even throw it at the database. Everything else, the user may send me an intention, but I create the SQL or exec or whatever on the back side myself rather than using what they send me.

Jason D handed me my lunch one day looking at one of my older sites - what a hoot! He took that bastard out for a drive and never came back. Not a database issue, an XSS issue, but still not good.

So this simple set of rules also plays nicely to anti-XSS strategies as well.
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
Pages: [1]
  Print  
 
Jump to:  

Perkiset's Place Home   Best of The Cache   phpMyIDE: MySQL Stored Procedures, Functions & Triggers
Politics @ Perkiset's   Pinkhat's Perspective   
cache
mart
coder
programmers
ajax
php
javascript
Powered by MySQL Powered by PHP Powered by SMF 1.1.2 | SMF © 2006-2007, Simple Machines LLC
Seo4Smf v0.2 © Webmaster's Talks


Valid XHTML 1.0! Valid CSS!