07-28-2008, 11:37 PM
Is there any one method or set of methods generally considered to be the best way of dealing with PHP mySql security? I've heard all the mysql_escape_string and numerous others in my googlings, and also heard about parameterized queries, but then learned that they were ASP, not PHP. Is there a way to use parameterized queries in php?
Any help, links, etc are appreciated. :)
07-29-2008, 12:30 AM
I use PDO. I even wrote a cool wrapper for it: http://zb3.zoklet.net/stats2/db.php.txt
PDO allows for prepared statements and parameter binding so that you don't have to worry about injection and escaping your input (though you might still want to check for certain HTML entities). It comes shipped with php 5.something and up - run a phpinfo(); to see if you have it.
With my wrapper you can do something as simple as:
$db = new db("dbname");
$data = $db->query_array("SELECT * FROM table WHERE abc=? AND def=?", array($_POST['abc'],$_POST['def']));
Not sure how robust it is, but I've never had any issues with it and I just keep adding methods to the class. I use this mostly because of the debug function - I really hate not being able to just print $query; with parameters properly bound (since $query usually contains placeholders).
If you want to use prepared statements to their full extent, I suggest not using my class because it doesn't allow for repeated execution of a single statement (ie: you can't get a statement handler and keep rerunning it for different values). Of course, if you do your query correctly, you might not need to execute it more than once ;)
07-29-2008, 01:19 AM
Is there a PHP4 solution? Just for backwards compatibility, I'm hoping for it to work with PHP4.