Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    Regular Coder
    Join Date
    Sep 2007
    Location
    AZ, USA
    Posts
    685
    Thanks
    6
    Thanked 46 Times in 46 Posts

    Best PHP mySQL Security

    Is there any one method or set of methods generally considered to be the best way of dealing with PHP mySql security? I've heard all the mysql_escape_string and numerous others in my googlings, and also heard about parameterized queries, but then learned that they were ASP, not PHP. Is there a way to use parameterized queries in php?

    Any help, links, etc are appreciated.

  • #2
    Regular Coder
    Join Date
    May 2008
    Location
    Ohio
    Posts
    231
    Thanks
    3
    Thanked 21 Times in 21 Posts
    I use PDO. I even wrote a cool wrapper for it: http://zb3.zoklet.net/stats2/db.php.txt

    PDO allows for prepared statements and parameter binding so that you don't have to worry about injection and escaping your input (though you might still want to check for certain HTML entities). It comes shipped with php 5.something and up - run a phpinfo(); to see if you have it.

    With my wrapper you can do something as simple as:
    $db = new db("dbname");
    $data = $db->query_array("SELECT * FROM table WHERE abc=? AND def=?", array($_POST['abc'],$_POST['def']));

    Not sure how robust it is, but I've never had any issues with it and I just keep adding methods to the class. I use this mostly because of the debug function - I really hate not being able to just print $query; with parameters properly bound (since $query usually contains placeholders).

    If you want to use prepared statements to their full extent, I suggest not using my class because it doesn't allow for repeated execution of a single statement (ie: you can't get a statement handler and keep rerunning it for different values). Of course, if you do your query correctly, you might not need to execute it more than once
    Last edited by derzok; 07-29-2008 at 12:44 AM.
    zok@zoklet:~$ whereis zok
    zok: http://zoklet.net | http://zoklet.net/otg | /derzok/at/gmail/dot/com

  • #3
    Regular Coder
    Join Date
    Sep 2007
    Location
    AZ, USA
    Posts
    685
    Thanks
    6
    Thanked 46 Times in 46 Posts
    Is there a PHP4 solution? Just for backwards compatibility, I'm hoping for it to work with PHP4.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •