Why no PDO? |
[eluser]Unknown[/eluser]
[quote author="Rick Jolly" date="1296974597"]ispod, rest assured that mysql_real_escape_string() is completely safe. If it wasn't, most php applications would be vulnerable to sql injection attack. Of course, we developers can screw anything up when we don't know what we are doing.[/quote] I'm sorry, but this is bad advice. Parameterization is much safer than escaping query strings. Abstraction and security are the main reasons for the use of PDO. Performance is nothing but a side effect. If you want to improve query performance, you use sensible indexes and stored procedures (and beyond that sharding, clustering, etc.) mysql_real_escape_string does very little to prevent injection attacks. |
Messages In This Thread |
Why no PDO? - by El Forum - 01-30-2011, 03:15 AM
Why no PDO? - by El Forum - 01-30-2011, 11:03 AM
Why no PDO? - by El Forum - 01-30-2011, 12:41 PM
Why no PDO? - by El Forum - 02-05-2011, 10:01 AM
Why no PDO? - by El Forum - 02-05-2011, 03:28 PM
Why no PDO? - by El Forum - 02-05-2011, 06:43 PM
Why no PDO? - by El Forum - 02-05-2011, 08:38 PM
Why no PDO? - by El Forum - 02-08-2011, 04:42 AM
Why no PDO? - by El Forum - 04-21-2011, 03:09 PM
Why no PDO? - by El Forum - 04-23-2011, 12:31 AM
Why no PDO? - by El Forum - 04-23-2011, 12:39 AM
Why no PDO? - by El Forum - 04-23-2011, 01:39 AM
Why no PDO? - by El Forum - 04-23-2011, 02:21 AM
Why no PDO? - by El Forum - 04-23-2011, 03:55 PM
Why no PDO? - by El Forum - 04-23-2011, 09:06 PM
Why no PDO? - by El Forum - 05-16-2011, 07:38 PM
Why no PDO? - by El Forum - 05-17-2011, 01:05 AM
Why no PDO? - by El Forum - 05-07-2012, 01:53 PM
Why no PDO? - by El Forum - 10-10-2012, 01:12 AM
|