Hi Christopher One other question. Our current site is written in jsp with Oracle. I'd like to use PHP. Do you have any thoughts on this? We're not really using Jsp as it was intended ( like using classes ) and I think it has alot of overhead and is overkill. It seems Php would be a better choice for imbedded html. For the most part the site mainly consist of relatively simple db retrieval, for several of our products. Which then lists various documentation and reference material for each, all dynamic. And then we have a few very simple stand alone user input forms occasionally. Oracle is the db on most of the site - a little mysql too. --- On Fri, 11/7/08, Christopher Jones <christopher.jones@xxxxxxxxxx> wrote: From: Christopher Jones <christopher.jones@xxxxxxxxxx> Subject: Re: sql injections/best practises To: fmh102560@xxxxxxxxx Cc: php-db@xxxxxxxxxxxxx Date: Friday, November 7, 2008, 5:39 PM mignon hunter wrote: > I'm am trying to find some definitive best practises on database connections with php on both mysql and oracle. > > I'm starting to redesign a corporate website and am trying to find out more about security and the best practises for database queries and user input form handling. > > For example - what's the best usage - prepared statements? And does it have to be php 5? I need preferably a one stop shop as opposed to looking at dozens of different places. Can you advise a particular book? Website? > > I have checked out the security area on the php manual and some users notes - some were useful. But it didnt really have a lot of info and I dont think it is comprehenive or all inclusive. > > Thanks in advance. PS I would like to switch the current site from jsp to php. I was going to look into Zend IDE. Comments? Suggestions? > > thanks PHP 5.2 is the way to go for new projects: PHP 4 isn't being maintained. Binding/preparing statements is the way to go. Here are quotes about them with MySQL & Oracle "They are useful for speeding up execution when you are performing large numbers of the same query with different data. They also protect against SQL injection-style attacks." (From "PHP and MySQL Web Development", 4th Edition, Luke Welling and Laura Thomson) "If I were to write a book about how to build nonscalable [note the NON] Oracle applications, then 'Don't Use Bind Variables' would be the title of the first and last chapters. [...] If you want to make Oracle run slowly [...] just refuse to use bind variables" (From "Expert Oracle Database Architecture", Tom Kyte) Depending on the site needs, consider a DB abstraction layer or a framework. For high performance connections in PHP OCI8 for Oracle, use oci_pconnect() and pass the character set. There are a number of Oracle-PHP books available. One free, introductory one is the "Underground PHP & Oracle Manual", http://tinyurl.com/f8jad (A new edition will be released in the next couple of weeks) Chris -- Email: christopher.jones@xxxxxxxxxx Tel: +1 650 506 8630 Twitter: http://twitter.com/ghrd Free PHP Book: http://tinyurl.com/f8jad -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php