On Tuesday 30 October 2007, Per Jessen wrote: > Larry Garfield wrote: > > Here's a bigger question: When will people stop using mysql_ as their > > example API, when PDO is more standard in PHP 5 and more secure, and > > mysqli is available as well? > > As always, the key question must be - what's the advantage of moving? > When the developer benefits from something being "more standard" and > more secure, then he'll change. > If you want to force someone to change, you remove the interface (after > having marked it deprecated for a while). Prepared statements are inherently more secure than doing your own escaping. Thus, given the bad rap that PHP had for years on the security front, encouraging the use of prepared statements is up there with discouraging the use of register_globals. The sooner you convince new PHP programmers to do things in a naturally more secure way, the fewer bugs they will accidentally introduce later. (And I say more secure because nothing is 100% secure for you without effort; prepared statements and the filter extension just make it a lot easier to write secure code.) -- Larry Garfield AIM: LOLG42 larry@xxxxxxxxxxxxxxxx ICQ: 6817012 "If nature has made any one thing less susceptible than all others of exclusive property, it is the action of the thinking power called an idea, which an individual may exclusively possess as long as he keeps it to himself; but the moment it is divulged, it forces itself into the possession of every one, and the receiver cannot dispossess himself of it." -- Thomas Jefferson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
