Why no PDO? |
[eluser]Crag[/eluser]
[quote author="ipsod" date="1296962893"]Thanks JonoB, PHP Active Record looks awesome. Rick Jolly, I understand that it does, but this site and others like it are what led me to think that that wasn't good enough. http://bobby-tables.com/ Quote:There is only one way to avoid [injection] attacks[/quote] With the PDO you can bind your vars/fields. But you dont have to. It's extra work especially with big forms. But it is worth the time. But you still should sanitize your data. PHP provides some nice tools for that (there's a link in my post above). It is not hard to protect your site from a SQL Injection attack. You just can't be lazy. Every form, every page a user can type data must be sanitized. And CI does it all for you, if you want. Easy peasy.
[eluser]EugeneS[/eluser]
[quote author="Crag" date="1303558309"]I don't understand why'd you use the PDO. CI protects you. But you know, there is a filter system in CI too. And you can always use PHP's Sanitize Filters as well.[/quote] exists small thing - customer wants PDO to be used - this should be the answer to the WHY
[eluser]Crag[/eluser]
[quote author="EugeneS" date="1303562398"][quote author="Crag" date="1303558309"]I don't understand why'd you use the PDO. CI protects you. But you know, there is a filter system in CI too. And you can always use PHP's Sanitize Filters as well.[/quote] exists small thing - customer wants PDO to be used - this should be the answer to the WHY [/quote] Ok. Good enough for me.
[eluser]Twisted1919[/eluser]
[quote author="EugeneS" date="1303562398"] exists small thing - customer wants PDO to be used - this should be the answer to the WHY [/quote] Customer has no clue what PDO is.
[eluser]InsiteFX[/eluser]
Besides if you want PDO then write a driver for it and the database stuff! InsiteFX
[eluser]Unknown[/eluser]
[quote author="Rick Jolly" date="1296974597"]ispod, rest assured that mysql_real_escape_string() is completely safe. If it wasn't, most php applications would be vulnerable to sql injection attack. Of course, we developers can screw anything up when we don't know what we are doing.[/quote] I'm sorry, but this is bad advice. Parameterization is much safer than escaping query strings. Abstraction and security are the main reasons for the use of PDO. Performance is nothing but a side effect. If you want to improve query performance, you use sensible indexes and stored procedures (and beyond that sharding, clustering, etc.) mysql_real_escape_string does very little to prevent injection attacks.
[eluser]n0xie[/eluser]
[quote author="ithcy" date="1305614284"] mysql_real_escape_string does very little to prevent injection attacks.[/quote] Orly? Example/proof please. Else just about ANY PHP Open Source Project (that I know of) including Drupal, Wordpress, Joomla, Magento and any other you can name have some serious bugfixing to do.
[eluser]ci_user[/eluser]
Yeah, now if there was some decent documentation on how to get it to work! [quote author="JonoB" date="1318172900"]PDO will be in CI very soon. https://github.com/EllisLab/CodeIgniter/pull/282[/quote]
[eluser]Unknown[/eluser]
Now is the better time to move to PDO than any other time. Quote:This extension (mysql_*) is not recommended for writing new code. Instead, either the mysqli or PDO_MySQL extension should be used.From php.net Move on from mysql_* please.... |
Welcome Guest, Not a member yet? Register Sign In |