[H-GEN] Server-side Aggregator
Stephen Thorne
stephen.thorne at gmail.com
Thu Feb 23 21:01:16 EST 2006
On 2/24/06, Michael Anthon <michael at anthon.net> wrote:
> But that's not really a PHP problem. The problem there is people with no
> understanding of how to write safe database driven web interfaces. I could
> personally write code in probably 4 or 5 languages that would be open to SQL
> injection attacks. If you want to blame anyone here, blame MySQL for not
> implementing bind variables [1]
The fundamental problem, as I see it, is the way how php makes it very
easy to do the wrong thing, while the right way is long winded and not
very obvious:
The Obvious Way:
mysql_query("UPDATE tablename SET foo='$bar' WHERE id=$id");
The Right Way:
if (gpc_get_magic_quotes()) {
$bar = stripslashes($bar); $id = stripslashes($id);
}
mysql_query("Update tablename SET
foo='".mysql_real_quote_string($bar)."' WHERE
id='".mysql_real_quote_string($id)."'") or die(mysql_error());
There's a fair bit of verbage difference there.
Using a nicer abstraction, like PEAR::DB or whatever they call it is a
bit of a step up:
(from the peardb docs)
<?php
// Once you have a valid DB object named $db...
$sql = 'select * from clients where clientid = ? and statusid = ?';
$data = array(53, 4);
$res =& $db->query($sql, $data);
// Always check that result is not an error
if (PEAR::isError($res)) {
die($res->getMessage());
}
?>
The fact that mysql_query[1] is documented as anything other than a
"BUG DO NOT USE WITHOUT A DB ABSTRACTION LAYER", is entirely PHPs
fault.
[1] http://au.php.net/mysql_query
--
Stephen Thorne
Development Engineer
More information about the General
mailing list