Re: sql injections/best practises

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thank you Christopher - this gives me some much needed direction.

--- On Fri, 11/7/08, Christopher Jones <christopher.jones@xxxxxxxxxx> wrote:

From: Christopher Jones <christopher.jones@xxxxxxxxxx>
Subject: Re:  sql injections/best practises
To: fmh102560@xxxxxxxxx
Cc: php-db@xxxxxxxxxxxxx
Date: Friday, November 7, 2008, 5:39 PM

mignon hunter wrote:
> I'm am trying to find some definitive best practises on database
connections with php on both mysql and oracle.
>
> I'm starting to redesign a corporate website and am trying to find out
more about security and the best practises for database queries and user input
form handling.
>
> For example - what's the best usage - prepared statements? And does it
have to be php 5? I need preferably a one stop shop as opposed to looking at
dozens of different places. Can you advise a particular book? Website?
>
> I have checked out the security area on the php manual and some users
notes - some were useful. But it didnt really have a lot of info and I dont
think it is comprehenive or all inclusive.
>
> Thanks in advance. PS I would like to switch the current site from jsp to
php. I was going to look into Zend IDE. Comments? Suggestions?
>
> thanks


PHP 5.2 is the way to go for new projects: PHP 4 isn't being
maintained.

Binding/preparing statements is the way to go.  Here are quotes about
them with MySQL & Oracle

    "They are useful for speeding up execution when you are performing
    large numbers of the same query with different data.  They also
    protect against SQL injection-style attacks."  (From "PHP and
    MySQL Web Development", 4th Edition, Luke Welling and Laura
    Thomson)

    "If I were to write a book about how to build nonscalable [note
    the NON] Oracle applications, then 'Don't Use Bind Variables'
    would be the title of the first and last chapters. [...] If you
    want to make Oracle run slowly [...] just refuse to use bind
    variables" (From "Expert Oracle Database Architecture", Tom
Kyte)

Depending on the site needs, consider a DB abstraction layer or a
framework.

For high performance connections in PHP OCI8 for Oracle, use
oci_pconnect() and pass the character set.

There are a number of Oracle-PHP books available.  One free,
introductory one is the "Underground PHP & Oracle Manual",
http://tinyurl.com/f8jad (A new edition will be released in the next
couple of weeks)

Chris

-- Email: christopher.jones@xxxxxxxxxx  Tel: +1 650 506 8630
Twitter:  http://twitter.com/ghrd    Free PHP Book: http://tinyurl.com/f8jad
[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]
  Powered by Linux