Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
I learned the following method to sanitize data
function sanitize($data)
{
return mysql_real_escape_string( $data);
}
Then the deprecation of some extension within mysql is becoming abit frustrating for beginners that did not know about it, however it is a learning experience to know PHP properly. It is recommended to use mysqli_real_escape_string instead and since this function requires 2 parameters, I have the following
function sanitize($data){
// 1. Create a database connection
$db = new mysqli('localhost','root','somepass','secured_login');
if($db->connect_errno){
$connect_error = 'Sorry, we are experiencing connection problems.';
die ($connect_error);
}
return htmlentities(strip_tags(mysqli_real_escape_string($db, $data)));
}
However, I have been getting the sense that many PHP programmers highly recommend using PDO method instead
My apology for such a long intro my question is... Is it safe to use the modified function sanitize where mysqli_real_escape_string is used instead mysql_real_escape_string?
if not!! then by using PDO I would need to learn OOP PHP instead of procedural. I hope I framed this question correctly. Is mixing both programming orientations (procedural and OOP) frowned upon.
What is the real advantage of using PDO in the longer? Thank you!
IMHO you have to learn how to use PDO driver to prevent an Headache by reinventing the wheel.
With a OOP driver like PDO you can also do cool stuffs simply by extending the class overring some method and changin few lines of code.
You can also play with dependency-injected PDO derived Objects.
You can change the type of you database by editing the PDO::engine variable.
Plus you can easily prevent SQL iniections of 1st type
Related
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
About the duplicate vote: This question is about the downsides of this approach, not about how to make this work; You can see it in this way: that question asks how to do something and the answer says something useful, however, I ask about the downsides of the answer.
TL;DR: will I encounter any technical difficulty by using this wrapper class later on? Why I haven't seen anything like this before?
I've been experimenting learning techniques for profiling recently and I found that creating the PDO instance is a place that could be optimized (~5ms). I don't need to use it in every call, however I'm creating it in every call from my code's structure. So, I just made this small class up:
<?php
namespace Library;
// Wrapper for \PDO. It only creates the rather expensive instance when needed.
// Use it exactly as you'd use the normal PDO object, except for the creation.
// In that case simply do "new \Library\PDO($args);" with the normal args
class PDO
{
// The actual instance of PDO
private $db;
public function __construct() {
$this->args = func_get_args();
}
public function __call($method, $args)
{
if (empty($this->db))
{
$Ref = new \ReflectionClass('\PDO');
$this->db = $Ref->newInstanceArgs($this->args);
}
return call_user_func_array(array($this->db, $method), $args);
}
}
To call it you only need to modify this line:
$DB = new \Library\PDO(/* normal arguments */);
And the type-hinting if you are using it to (\Library\PDO $DB).
It works flawlessly. It's also blazing fast (~0.2ms) when not using the PDO object and only introduces those ~0.2ms delay when using it (completely negligible). Now, I'm still learning about proper OOP, namespaces and general code structure, so I think I'm not qualified enough as to answer my own question yet:
Will I encounter any technical difficulty by using this wrapper class later on? Why I haven't seen anything like this before? therefore, why is this not more common or even default PDO behaviour?
Note: I intend to extend it furthermore by adding few more methods.
To answer your question: There is nothing wrong with this. This is a common optimization pattern, known as lazy loading, as you also mention in the comments.
While it could be implemented in different ways than what you have done here, your approach looks perfectly fine to me.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 9 years ago.
Improve this question
I was a MySQL PHP coder, but then I realized that is vulnerable to SQL Injections and mysqli_* functions are deprecated, I decided to move on to some other way. I was wondering what is better, MySQLi or PDO?
What is the Most Secure?
What is quick in loading up data?
What is not vulnerable/least vulnerable to SQL Injections?
What is most popular and is preferred by the community?
I need help with these 4 questions and I am here to get them answered. I hope I will find high quality answers.
All three APIs are equally safe, quick and invulnerable.
PDO is preferred by the community because it's being a semi-DAL (Database Access Library) already, while both mysqli and mysql are just raw APIs that shouldn't be used as is but only as a build material for such a library. And because community has no desire/education/habit to create one out of two latter APIs, PDO is left as the only choice.
As an old school programmer you need to know only two things
Every variable should never go into query directly but via placeholder only
unlike mysql, PDO require a connection variable to be always available. Means you need to learn what variable scope is and how to access a global variable.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
I am going to write a SQLBuilder for fun.
And to keep the query safe, I have to quote the value, for example, the value '12"3' should be '12\"3', I can use mysql_real_escape_string('12"3') to do that. but, this function would be removed from php, so, I am using PDO now.
But, If I want to quote string with pdo, I have new a real pdo object like this:
$db = new PDO($connectString);
and then, I and quote it like this:
$db->quote('12"3');
which means that I have to connect database everytime I quote the string.
but I really do not wanna do this. I just want to build a query string, nothing else.
I just want a function or method without db connecting able to replace mysql_real_escape_string()
so, is there any way to quote strings without new a PDO object? or another way to quote string without connection?
Escaping string without knowledge about how it will be used (this includes knowing what encoding will be used by database server and by the connection) is likely to fail for nonstandard settings. That's why mysql_real_escape_string() will in fact try to establish a connection to database if none is present, and if it doesn't succeed it will raise an E_WARNING.
In other words: you need to know something about the database, to escape strings properly. That's why you need the connection.
You are going to write a SQLBuilder exceptionally WRONG way. Practically, for some reason you choose Stone Age technology to build upon.
What your query builder actually have to do is to build queries with placeholders in place for the actual data.
While query runner have to accept data array beside query.
As simple as that.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
i m working on a project about social networking website where speed optimization is very critical.
is PDO is FASTER ?
i am thinking to switch to PDO is it recommended for use PDO for such a site ?
I doubt using PDO or MySQLi will be bottleneck, though, if you ask for bechmarks, here they are (nothing serious, just couple of tests).
In general, using one or another is a matter of taste, and bottlenecks usually are somewhere else (e.g., queries, indexes, PHP code etc).
One thing you might consider is using some DB wrapper, i.e., class that uses either PDO or MySQLi, whichever you prefer. In your code, use this wrapper instead of using PDO or MySQLi directly. If you do this, you'll be able to switch between PDO, MySQLi or any other library by changing single class instead of changing all the code.
I did a mini benchmark on this a while back. Conclusion. PDO and MySQLi are very similar but the features in PDO are worth using.
http://cznp.com/blog/2/apples-and-oranges-mysqli-and-pdo
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I've decided to switch to MySQLi, because some people have told me it's more secure.. What I'm really confused about, is the new extensions. I tried just added 'i' after every mysql, but that gave me a crap load of errors. I looked up in the PHP manual why that was happening and there was a whole bunch of other functions.. I honestly can't figure out how to convert. Can you help me out?
include("dbinfo.php");
mysql_connect($c_host,$c_username,$c_password);
#mysql_select_db($c_database) or die(mysql_error());
$mycon = new mysqli($c_host, $c_username, $c_password, $c_database);
$query="SELECT * FROM users WHERE username='" .$_COOKIE['username']. "'";
$result=mysql_query($query) or die(mysql_error());
$num=mysql_numrows($result);
$username=mysql_result($result,$i,"username");
Here's what you need to do:
Read the overview so that have an understanding of the differences/advantages.
Consult the old -> new function summary on the PHP site and get your existing code up and running with the mysqli interface.
Take advantage of the improvements (such as using prepared statements) otherwise this is a futile exercise. (By default mysqli really isn't any more secure than mysql.)
One of the reasons MySQLi is more "secure" is because it offers a different interface, which is better in many ways. Instead of trying to translate your code directly, learn the new interface and use it. If that's all your code, it wouldn't be easy to rewrite from scratch, and which is more important, look up the equivalents (and alternatives) for everything you're doing in the code that you pasted.
For starters, you should use $mysqli->prepare with parameters instead of interpolating variables like you're doing.
http://www.php.net/manual/en/mysqli.prepare.php