No announcement yet.

Bulletproof Database Access

  • Filter
  • Time
  • Show
Clear All
new posts

  • Bulletproof Database Access

    Originally posted by A friend
    I've read a number of books on PHP over the years, and almost all of them make the same mistakes when it comes to database access. Applications that use SQL improperly are susceptible to SQL injection attacks, which can literally hand your entire database (and its contents) over to the hackers. What's even worse, is that the proper way to do database access is actually easier than the improper way.

    To illustrate, the example below shows proper SQL command construction.

    PHP Code:
    $dsn 'mysql://root:[email protected]/posts'
    $db =& DB::Connect($dsn, array());
    PEAR::isError($db)) { die($db->getMessage()); }

    $sth $db->prepare("INSERT into posts VALUES ( null, ? )" );
    $db->execute($sth, array( $_POST['post'] ) );
    I used the PEAR DB module to prepare a statement, with the ? placed where the arguments are to go. Some in the PHP community suggest that PEAR DB is slower. I haven't experienced that; and even if that were the case, I would still use PEAR DB because it provides portability and security features that the direct database access functions do not.

    A new alternative to PEAR DB is on the horizon as well; it's the PHP Database Objects (PDO) library. It's currently not is experimental and is worth monitoring in the long term as an alternative to PEAR DB.
    vBulletin have this currently or coming soon?

    Best Regards

  • #2
    What are asking for?

    We use php's mysql functions that are part of php itself. Not the PearDB layer, I have no clue if its coming in the future however I've never heard of this. We do however take great concerns for security and there is liuttle chance of a sql injection attack in the 3.5 line. Even then, not much of great importance can be retrevied by an injection attack. Passwords are double hashed into the database for security.


    • #3
      There are no plans to use the PEAR Database interface in vBulletin.

      vBulletin has its own robust database class and variable cleaning methods that do not rely on the PEAR interface. Data input goes through a series of filters that makes sure it is the correct type and then is fed to data managers if needed to check integrity.

      I do have to say though, your example above is pretty much how vBulletin handles queries but it has nothing to do with checking the integrity of the data or making sure that someone does not perform SQL injections, that needs to be done before you ever think about connecting to a database.
      Translations provided by Google.

      Wayne Luke
      The Rabid Badger - a vBulletin Cloud demonstration site.
      vBulletin 5 API - Full / Mobile
      Vote for your favorite feature requests and the bugs you want to see fixed.


      • #4
        How about the new PHP Data Objects (PDO) interface in PHP 5.1.2? Will vB use the pdp_mysql extension in the near future?

        Last edited by StarShaper; Thu 23 Mar '06, 2:32am.


        • #5
          I can't imagine it, as that would require that we set up the minimum requirements to 5.1.2, which won't happen for a while.

          Here's the english version of your link btw:
          Best Regards
          Colin Frei

          Please don't contact me per PM.


          • #6
            Originally posted by Colin F
            I can't imagine it, as that would require that we set up the minimum requirements to 5.1.2, which won't happen for a while.
            Thank you for this information! I think the PDO Extension (API) is a great feature in PHP. It makes programming easier. And last but not at least the performance increases.



            widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.