Re: [off] PHP: a fractal of bad design

From:	Lester Caine	Date:	Wed, 11 Apr 2012 16:06:30 +0000
Subject:	Re: [off] PHP: a fractal of bad design
References:	1 2 3 4	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

Ralph Schindler wrote:
Hey Lester,

That is almost archaic it's self ...
It should be replaced with a pointer to using parameters ( no we do not
need 'prepared statements', just parameters ). One of the first things I
implement on any code that I'm porting. Does away with any agro over
escaping strings and is totally save 'injection' wise.

While I generally agree, 'just parameters' does have it's limitations. Sometimes
there are special character sequences that can be exploited to escape out of a
quoted value in a SQL string.

Offhand, this comes to mind about MySQL:
http://bugs.mysql.com/bug.php?id=8378

Well if you must use a simple database ;)

I've never used MySQL simply because it has yet to get to the same standard as Firebird ... But I'm talking about passing parameters direct to '?' entries in the SQL - something which if it CAN be broken then the database is also broken? The database handles the 'data' going into a single field at a time.

-- 
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk//
Firebird - http://www.firebirdsql.org/index.php


   

Thread (42 messages)

• Adir KuhnTue, 10 Apr 2012 16:20:41 +0000
  • Pierre JoyeTue, 10 Apr 2012 16:31:57 +0000
    • Tom BoutellTue, 10 Apr 2012 18:18:01 +0000
      • Stas MalyshevTue, 10 Apr 2012 18:27:22 +0000
        • Richard LynchSat, 05 May 2012 16:17:34 +0000
          • Tjerk Anne MeestersMon, 07 May 2012 03:32:30 +0000
            • Arvids GodjuksMon, 07 May 2012 07:28:46 +0000
              • Kris CraigMon, 07 May 2012 08:31:00 +0000
                • Gustavo LopesMon, 07 May 2012 08:46:29 +0000
                  • Kris CraigMon, 07 May 2012 09:22:50 +0000
                    • Ferenc KovacsMon, 07 May 2012 09:31:55 +0000
                • Ferenc KovacsMon, 07 May 2012 08:56:40 +0000
                  • Tjerk Anne MeestersMon, 07 May 2012 09:33:08 +0000
                • Arvids GodjuksMon, 07 May 2012 10:41:27 +0000
              • Hartmut HolzgraefeMon, 07 May 2012 12:23:54 +0000
            • Hartmut HolzgraefeMon, 07 May 2012 12:38:01 +0000
              • Tjerk Anne MeestersMon, 07 May 2012 18:07:49 +0000
                • Raymond IrvingTue, 08 May 2012 01:25:57 +0000
                  • Matt WilsonTue, 08 May 2012 02:05:55 +0000
                    • Sanford WhitemanTue, 08 May 2012 05:16:10 +0000
                  • Joe GillottiWed, 09 May 2012 08:09:19 +0000
      • Pierre JoyeTue, 10 Apr 2012 19:50:50 +0000
  • Gustavo LopesTue, 10 Apr 2012 16:31:56 +0000
  • Stas MalyshevTue, 10 Apr 2012 16:38:08 +0000
    • Kris CraigTue, 10 Apr 2012 17:59:50 +0000
      • Ralf LangTue, 10 Apr 2012 18:12:39 +0000
        • Kris CraigTue, 10 Apr 2012 18:28:01 +0000
          • Lester CaineTue, 10 Apr 2012 18:49:57 +0000
          • Ralf LangWed, 11 Apr 2012 21:09:51 +0000
  • Ronald ChmaraTue, 10 Apr 2012 22:39:20 +0000
  • Yasuo OhgakiWed, 11 Apr 2012 07:29:53 +0000
    • CrocodileWed, 11 Apr 2012 08:14:15 +0000
    • Lester CaineWed, 11 Apr 2012 08:29:28 +0000
      • Ralph SchindlerWed, 11 Apr 2012 15:46:57 +0000
        • Lester CaineWed, 11 Apr 2012 16:06:30 +0000
          • Anthony FerraraWed, 11 Apr 2012 17:28:52 +0000
            • Lester CaineWed, 11 Apr 2012 18:44:52 +0000
              • Johannes SchlüterWed, 11 Apr 2012 21:05:18 +0000
  • Luke ScottWed, 11 Apr 2012 15:19:21 +0000
    • Hartmut HolzgraefeWed, 18 Apr 2012 08:44:17 +0000
  • Hartmut HolzgraefeWed, 18 Apr 2012 08:34:40 +0000
    • Philip OlsonWed, 18 Apr 2012 08:53:01 +0000