Hi Christopher
One other question. Our current site is written in jsp with Oracle. I'd like to use PHP. Do you have any thoughts on this?
We're not really using Jsp as it was intended ( like using classes ) and I think it has alot of overhead and is overkill. It seems Php would be a better choice for imbedded html. For the most part the site mainly consist of relatively simple db retrieval, for several of our products. Which then lists various documentation and reference material for each, all dynamic. And then we have a few very simple stand alone user input forms occasionally.
Oracle is the db on most of the site - a little mysql too.
--- On Fri, 11/7/08, Christopher Jones <christopher.jones@xxxxxxxxxx> wrote:
From: Christopher Jones <christopher.jones@xxxxxxxxxx>
Subject: Re: sql injections/best practises
To: fmh102560@xxxxxxxxx
Cc: php-db@xxxxxxxxxxxxx
Date: Friday, November 7, 2008, 5:39 PM
mignon hunter wrote:
> I'm am trying to find some definitive best practises on database
connections with php on both mysql and oracle.
>
> I'm starting to redesign a corporate website and am trying to find out
more about security and the best practises for database queries and user input
form handling.
>
> For example - what's the best usage - prepared statements? And does it
have to be php 5? I need preferably a one stop shop as opposed to looking at
dozens of different places. Can you advise a particular book? Website?
>
> I have checked out the security area on the php manual and some users
notes - some were useful. But it didnt really have a lot of info and I dont
think it is comprehenive or all inclusive.
>
> Thanks in advance. PS I would like to switch the current site from jsp to
php. I was going to look into Zend IDE. Comments? Suggestions?
>
> thanks
PHP 5.2 is the way to go for new projects: PHP 4 isn't being
maintained.
Binding/preparing statements is the way to go. Here are quotes about
them with MySQL & Oracle
"They are useful for speeding up execution when you are performing
large numbers of the same query with different data. They also
protect against SQL injection-style attacks." (From "PHP and
MySQL Web Development", 4th Edition, Luke Welling and Laura
Thomson)
"If I were to write a book about how to build nonscalable [note
the NON] Oracle applications, then 'Don't Use Bind Variables'
would be the title of the first and last chapters. [...] If you
want to make Oracle run slowly [...] just refuse to use bind
variables" (From "Expert Oracle Database Architecture", Tom
Kyte)
Depending on the site needs, consider a DB abstraction layer or a
framework.
For high performance connections in PHP OCI8 for Oracle, use
oci_pconnect() and pass the character set.
There are a number of Oracle-PHP books available. One free,
introductory one is the "Underground PHP & Oracle Manual",
http://tinyurl.com/f8jad (A new edition will be released in the next
couple of weeks)
Chris
-- Email: christopher.jones@xxxxxxxxxx Tel: +1 650 506 8630
Twitter: http://twitter.com/ghrd Free PHP Book: http://tinyurl.com/f8jad
-- PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
