Why no PDO?

#11
[eluser]Crag[/eluser]
[quote author="ipsod" date="1296962893"]Thanks JonoB, PHP Active Record looks awesome.

Rick Jolly, I understand that it does, but this site and others like it are what led me to think that that wasn't good enough.

http://bobby-tables.com/
Quote:There is only one way to avoid [injection] attacks

* Do not create SQL statements that include outside data.
* Use parameterized SQL calls.

That's it. Don't try to escape invalid characters. Don't try to do it yourself. Learn how to use parameterized statements. Always, every single time.

The strip gets one thing crucially wrong. The answer is not to "sanitize your database inputs" yourself. It is prone to error.
[/quote]

With the PDO you can bind your vars/fields. But you dont have to. It's extra work especially with big forms. But it is worth the time. But you still should sanitize your data. PHP provides some nice tools for that (there's a link in my post above).

It is not hard to protect your site from a SQL Injection attack. You just can't be lazy. Every form, every page a user can type data must be sanitized.

And CI does it all for you, if you want. Easy peasy.

#12
[eluser]EugeneS[/eluser]
[quote author="Crag" date="1303558309"]I don't understand why'd you use the PDO. CI protects you. But you know, there is a filter system in CI too. And you can always use PHP's Sanitize Filters as well.[/quote]

exists small thing - customer wants PDO to be used - this should be the answer to the WHY Smile

#13
[eluser]Crag[/eluser]
[quote author="EugeneS" date="1303562398"][quote author="Crag" date="1303558309"]I don't understand why'd you use the PDO. CI protects you. But you know, there is a filter system in CI too. And you can always use PHP's Sanitize Filters as well.[/quote]

exists small thing - customer wants PDO to be used - this should be the answer to the WHY Smile[/quote]

Ok. Good enough for me. Wink

#14
[eluser]Twisted1919[/eluser]
[quote author="EugeneS" date="1303562398"]
exists small thing - customer wants PDO to be used - this should be the answer to the WHY Smile[/quote]
Customer has no clue what PDO is.

#15
[eluser]InsiteFX[/eluser]
Besides if you want PDO then write a driver for it and the database stuff!

InsiteFX

#16
[eluser]Unknown[/eluser]
[quote author="Rick Jolly" date="1296974597"]ispod, rest assured that mysql_real_escape_string() is completely safe. If it wasn't, most php applications would be vulnerable to sql injection attack.

Of course, we developers can screw anything up when we don't know what we are doing.[/quote]

I'm sorry, but this is bad advice. Parameterization is much safer than escaping query strings. Abstraction and security are the main reasons for the use of PDO. Performance is nothing but a side effect. If you want to improve query performance, you use sensible indexes and stored procedures (and beyond that sharding, clustering, etc.)

mysql_real_escape_string does very little to prevent injection attacks.

#17
[eluser]n0xie[/eluser]
[quote author="ithcy" date="1305614284"]
mysql_real_escape_string does very little to prevent injection attacks.[/quote]
Orly?

Example/proof please. Else just about ANY PHP Open Source Project (that I know of) including Drupal, Wordpress, Joomla, Magento and any other you can name have some serious bugfixing to do.

#18
[eluser]ci_user[/eluser]
Yeah, now if there was some decent documentation on how to get it to work!


[quote author="JonoB" date="1318172900"]PDO will be in CI very soon. https://github.com/EllisLab/CodeIgniter/pull/282[/quote]

#19
[eluser]Unknown[/eluser]
Now is the better time to move to PDO than any other time.

Quote:This extension (mysql_*) is not recommended for writing new code. Instead, either the mysqli or PDO_MySQL extension should be used.
From php.net

Move on from mysql_* please....



Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.