Home/ Questions/Q 221361
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-11T19:01:34+00:00

So I’m a slightly seasoned php developer and have been ‘doin the damn thing’

  • 0

So I’m a slightly seasoned php developer and have been ‘doin the damn thing’ since 2007; however, I am still relatively n00bish when it comes to securing my applications. In the way that I don’t really know everything I know I could and should.

I have picked up Securing PHP Web Applications and am reading my way through it testing things out along the way. I have some questions for the general SO group that relate to database querying (mainly under mysql):

When creating apps that put data to a database is mysql_real_escape_string and general checking (is_numeric etc) on input data enough? What about other types of attacks different from sql injection.

Could someone explain stored procedures and prepared statements with a bit more info than – you make them and make calls to them. I would like to know how they work, what validation goes on behind the scenes.

I work in a php4 bound environment and php5 is not an option for the time being. Has anyone else been in this position before, what did you do to secure your applications while all the cool kids are using that sweet new mysqli interface?

What are some general good practices people have found to be advantageous, emphasis on creating an infrastructure capable of withstanding upgrades and possible migrations (like moving php4 to php5).

Note: have had a search around couldn’t find anything similar to this that hit the php-mysql security.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    My recommendations:

    1. ditch mysqli in favor of PDO (with mysql driver)
    2. use PDO paremeterized prepared statements

    You can then do something like:

    $pdo_obj = new PDO( 'mysql:server=localhost; dbname=mydatabase', 
                    $dbusername, $dbpassword );

$sql = 'SELECT column FROM table WHERE condition=:condition';
$params = array( ':condition' => 1 );

$statement = $pdo_obj->prepare( $sql, 
    array( PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY ) );
$statement->execute( $params );
$result = $statement->fetchAll( PDO::FETCH_ASSOC );

    PROs:

    1. No more manual escaping since PDO does it all for you!
    2. It’s relatively easy to switch database backends all of a sudden.

    CONs:

    • i cannot think of any.
    • 0