Page 2 of 2 First 12
  • Jump to page:
    #16
  1. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,908
    Rep Power
    6352
    Because you'll forget.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  2. #17
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by christdi
    Don't quite understand the concept yet other than what php.net says (a statement that is used to execute the same statement repeatedly with high efficiency).
    That's a bad description. The main purpose of prepared statements is security. Prepared statements are the only realiable protection against SQL injections.

    The fact that prepared statements are sometimes more efficient than raw queries is just a nice side effect for most people. Don't rely on this, and don't use prepared statements for this reason.



    Originally Posted by christdi
    PHP.net also says the same degree of security can be achieved with non-prepared statements, if input values are escaped correctly.
    There's a lof of things that can be done. That doesn't mean they are done.



    Originally Posted by christdi
    So why not just use non prepared statements and remember to escape input values ?
    Why do we need seatbelts and airbags? Why can't we just all drive according to the rules and never make an accident?

    Humans are fallible. We make mistakes all the time, no matter how intelligent, knowledgeable and careful we are. We know the traffic rules, we know how to drive safely. Yet still there are car accidents all the time. We have come to realize that we cannot rely on human perfection, and that's why we have invented the seatbelt and the airbag.

    Or take pilots as an example: Pilots know how to fly, they know what to do. Maybe they're doing this job since 20 years and know every safety procedure inside out. Yet still they all go through the same checklists again and again every time they sit in the cockpit. Because we have realized that even the best and most experienced pilots sometimes make mistakes. And in order to save lives, we must minimize this risk.

    It would be great if software developers finally concluded that they're fallible too. I mean, have you never heard of the SQL injection attacks against big companies like Sony? Have you never seen a bugtracker of a big web application like Drupal or Joomla? Those people usually know how that they have to escape data before putting it into a query. Yet still they fail to do so.

    Long story short: Manual escaping does not work in reality. It works as a theoretical model, but it breaks down as soon as real people are involved. Because people sometimes forget the escaping, or they misjudge the danger of an input value, or they use the wrong escaping function, or they mess up the character encoding and so on. The possibilities of failure are endless. You should know that, because in your first code, you had no escaping at all.

    Comments on this post

    • Northie agrees
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  4. #18
  5. Mad Scientist
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Oct 2007
    Location
    North Yorkshire, UK
    Posts
    3,661
    Rep Power
    4124
    Even when you think you're doing things right....you might not be.

    I think Jacques1 hit the nail on the head when he said "[because ... they] misjudge the danger".

    You think you're doing things ok, you may be blissfully unaware of the character encoding issues/bugs that can lead to injection even using manual escaping / emulating prepared statements.

    It's for the reason that you are probably misjudging the danger that you should endeavourer to use a more foolproof method.

    Today, that method is prepared statements (without emulation)
    Last edited by Northie; May 31st, 2013 at 10:42 AM.
    I said I didn't like ORM!!! <?php $this->model->update($this->request->resources[0])->set($this->request->getData())->getData('count'); ?>

    PDO vs mysql_* functions: Find a Migration Guide Here

    [ Xeneco - T'interweb Development ] - [ Are you a Help Vampire? ] - [ Read The manual! ] - [ W3 methods - GET, POST, etc ] - [ Web Design Hell ]
  6. #19
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2004
    Location
    Trondheim, Norway
    Posts
    251
    Rep Power
    11
    Thanks for taking time to answer and for your examples.

    I have rewritten the script a little bit from mics examples on PHP.net. Spesifically from one of the http://www.php.net/manual/en/pdostatement.fetch.php examples.
    I know I have not done a proper prepared statment here either, and that it's not nessesary here but I have keept it in anyway. I just want to get into that habit as I will be writing code that input and edit mysql tables later.

    PHP Code:
    <?php
    $dbh 
    = new PDO("mysql:host=localhost;dbname=db"'user''pass'); // connect to mysql DB
    $stmt   $dbh->prepare("SELECT id,title FROM text ORDER BY title ASC"); // prepare SELECT statement
    $stmt->execute(); // execute SELECT statement

    echo "<table border='1'><tr>"//html table
    foreach ($stmt->fetch(PDO::FETCH_ASSOC) as $key => $val) { // loop through table keys
     
    print "<th bgcolor=lightgrey>$key</th>";
    }
    echo 
    "</tr>";
    foreach (
    $stmt->fetchAll(PDO::FETCH_NUM) as $row) { // loop through table rows
     
    print "<tr><td>$row[0]</td><td><a href='read.php?id=$row[0]'>".$row[1]."</a></td>";
     print 
    "<td><a href=edit.php?id=$row[0]>Edit</a> | <a href=shure.php?id=$row[0]>Del</a></td></tr>";
    }
    echo 
    "</table>";
    ?>
    As always I welcome critique of my code so I can learn more.
    Last edited by christdi; June 5th, 2013 at 09:23 AM.
    http://chrisdee.bandcamp.com
  8. #20
  9. No Profile Picture
    Dazed&Confused
    Devshed Novice (500 - 999 posts)

    Join Date
    Jun 2002
    Location
    Tempe, AZ
    Posts
    506
    Rep Power
    128
    Originally Posted by Jacques1
    Why do we need seatbelts and airbags? Why can't we just all drive according to the rules and never make an accident?
    Because other people suck at driving.

    Comments on this post

    • Northie disagrees
  10. #21
  11. No Profile Picture
    Contributing User
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Dec 2004
    Posts
    3,031
    Rep Power
    377
    i think in the first line you need to tell PDO to actually use prepared statement and not fake them..

    $db = new PDO('mysql:host=xxx;dbname=xxx;charset=utf8', 'xxx', 'xxx');
    $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    $db->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);

    also note the use of charset.

    also i dont know why you are fetching them TWICE. why not use feth_all store it in array. close the connection and then play around with the array? (assuming there is a performance hit to what you are doing currently but even not it doesnt look right)
Page 2 of 2 First 12
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo