Announcement

Collapse
No announcement yet.

Bulletproof Database Access

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • StarShaper
    replied
    Originally posted by Colin F
    I can't imagine it, as that would require that we set up the minimum requirements to 5.1.2, which won't happen for a while.
    Thank you for this information! I think the PDO Extension (API) is a great feature in PHP. It makes programming easier. And last but not at least the performance increases.

    Regards

    Leave a comment:


  • Colin F
    replied
    I can't imagine it, as that would require that we set up the minimum requirements to 5.1.2, which won't happen for a while.

    Here's the english version of your link btw: http://php.net/manual/en/ref.pdo.php

    Leave a comment:


  • StarShaper
    replied
    How about the new PHP Data Objects (PDO) interface in PHP 5.1.2? Will vB use the pdp_mysql extension in the near future?

    Regards
    Last edited by StarShaper; Thu 23 Mar '06, 2:32am.

    Leave a comment:


  • Wayne Luke
    replied
    There are no plans to use the PEAR Database interface in vBulletin.

    vBulletin has its own robust database class and variable cleaning methods that do not rely on the PEAR interface. Data input goes through a series of filters that makes sure it is the correct type and then is fed to data managers if needed to check integrity.

    I do have to say though, your example above is pretty much how vBulletin handles queries but it has nothing to do with checking the integrity of the data or making sure that someone does not perform SQL injections, that needs to be done before you ever think about connecting to a database.

    Leave a comment:


  • Zachery
    replied
    What are asking for?

    We use php's mysql functions that are part of php itself. Not the PearDB layer, I have no clue if its coming in the future however I've never heard of this. We do however take great concerns for security and there is liuttle chance of a sql injection attack in the 3.5 line. Even then, not much of great importance can be retrevied by an injection attack. Passwords are double hashed into the database for security.

    Leave a comment:


  • Augustino
    started a topic Bulletproof Database Access

    Bulletproof Database Access

    Originally posted by A friend
    I've read a number of books on PHP over the years, and almost all of them make the same mistakes when it comes to database access. Applications that use SQL improperly are susceptible to SQL injection attacks, which can literally hand your entire database (and its contents) over to the hackers. What's even worse, is that the proper way to do database access is actually easier than the improper way.

    To illustrate, the example below shows proper SQL command construction.

    PHP Code:
    <?php
    require_once("DB.php");
    $dsn 'mysql://root:[email protected]/posts'
    $db =& DB::Connect($dsn, array());
    if(
    PEAR::isError($db)) { die($db->getMessage()); }

    $sth $db->prepare("INSERT into posts VALUES ( null, ? )" );
    $db->execute($sth, array( $_POST['post'] ) );
    ?>
    I used the PEAR DB module to prepare a statement, with the ? placed where the arguments are to go. Some in the PHP community suggest that PEAR DB is slower. I haven't experienced that; and even if that were the case, I would still use PEAR DB because it provides portability and security features that the direct database access functions do not.

    A new alternative to PEAR DB is on the horizon as well; it's the PHP Database Objects (PDO) library. It's currently not is experimental and is worth monitoring in the long term as an alternative to PEAR DB.
    vBulletin have this currently or coming soon?

    Best Regards
widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X