January 6th, 2013, 08:55 PM
Can we sticky the deprecation of mysql EXT.
Could we make a sticky for the deprecation of the mysql extension to avoid confusion.
I was not aware of the deprecation of the extension until being advised by some senior members here and seeing other posts shows that many others are also unaware of these changes.
January 6th, 2013, 09:09 PM
I've already asked someone to write a sticky on the subject, like what's wrong with mysql and how to switch to PDO/mysqli, but if anyone else like to write something then we can definitely pin it up there.
January 6th, 2013, 11:42 PM
I'm working on a list of "5 common security sins", which includes an explanation of SQL injections and how to avoid it with prepared statements using either PDO or MySQLi. I do mention mysql_real_escape_string() as a workaround for big legacy projects, however.
I think a complete list makes more sense than just addressing a particular aspect of unsecure code. Whenever you see certain bad practices, you can then simply link to the corresponding "chapters" instead of explaining the same stuff over and over again (why mysql_... is bad, why you must use htmlentities() etc.)
The content is as follows:
- Don't insert raw values into query strings (SQL injections)
- Don't insert raw values into HTML markup (XSS)
- Don't display internal error messages
- Don't rely on MD5/SHA-2/... for password hashing (and don't store plaintext passwords, of course)
- Don't allow users to change data solely based on their login status (CSRF)
Comments on this post
January 7th, 2013, 03:44 AM
There's a link in my sig to an article that I think gives a good overview for beginners and the "copy and paste" (ahem) 'developers'