Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I've decided to switch to MySQLi, because some people have told me it's more secure.. What I'm really confused about, is the new extensions. I tried just added 'i' after every mysql, but that gave me a crap load of errors. I looked up in the PHP manual why that was happening and there was a whole bunch of other functions.. I honestly can't figure out how to convert. Can you help me out?
include("dbinfo.php");
mysql_connect($c_host,$c_username,$c_password);
#mysql_select_db($c_database) or die(mysql_error());
$mycon = new mysqli($c_host, $c_username, $c_password, $c_database);
$query="SELECT * FROM users WHERE username='" .$_COOKIE['username']. "'";
$result=mysql_query($query) or die(mysql_error());
$num=mysql_numrows($result);
$username=mysql_result($result,$i,"username");
Here's what you need to do:
Read the overview so that have an understanding of the differences/advantages.
Consult the old -> new function summary on the PHP site and get your existing code up and running with the mysqli interface.
Take advantage of the improvements (such as using prepared statements) otherwise this is a futile exercise. (By default mysqli really isn't any more secure than mysql.)
One of the reasons MySQLi is more "secure" is because it offers a different interface, which is better in many ways. Instead of trying to translate your code directly, learn the new interface and use it. If that's all your code, it wouldn't be easy to rewrite from scratch, and which is more important, look up the equivalents (and alternatives) for everything you're doing in the code that you pasted.
For starters, you should use $mysqli->prepare with parameters instead of interpolating variables like you're doing.
http://www.php.net/manual/en/mysqli.prepare.php
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I'm making a website for a group that needs a database. The data is going to store user information among other things. I already know PHP and could easily do it in PHP, but to further myself as a developer, I'd like to learn a language like Ruby. I know how to use databases in PHP. But, when writing Ruby, can I use SQL databases?
We don't know how you call your database in PHP.
Many PHP users use MySQL and call sql statements with the embedded mysql driver,
and then iterate over the results.
You can do this also in Ruby. The mysql driver is not embedded, But you can easily install it with RubyGems. You need the mysql2 gem.
https://github.com/brianmario/mysql2
But if want to be more object-oriented, there is the framework "Ruby On Rails" with "ActiveRecord" for database connection. Here you don't write SQL directly, instead you specify what objects you want to have or store (except in rare edge cases, where you still can write sql)
This needs some learning time. But then it is lot less coding, code is better readable, and security errors like are also easier to avoid.
The basic answer is yes - you can do something like that using Ruby and a framework like ActiveRecord or Sequel, but this far too broad for StackOverflow.
Good afternoon.
Depends on the speed you need .
1) If you need quickly - write on PHP
2) If you have some time and want learn Ruby On Rails, ActiveRecord etc. ... buy some book for beginner, read doc and step by step create application
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I understand that in general PDO scripts are cross compatible i.e. generally changing the connection string should work.
In the past I've spent hours searching online after changing a PDO script connection string from MySQL to SQLite as this isn't the case, some things don't work the same (I remember an issue with row counting or something).
So should changing from MySQL to Oracle be generally simple, or are there things to watch out for as in the SQLite case?
So should changing from MySQL to Oracle be generally simple, or are there things to watch out for as in the SQLite case?
There are things to watch out.
More seriously, beside basic SQL query, each RDBMS has its own set of specific features that have to be taken into account. Just to give one example, if you want to limit the result set to one row only, MySQL provides the LIMIT clause. But for Oracle up to 11g, you need a sub-query for that purpose.
If you really need cross-vendor support, you probably should take a look at some library providing database abstraction layer whose job is to allow you to write database-agnostic code. PDO isn't such a library. But Doctrine DAL, Zend_db and many other are.
It is now considered as off-topic to request suggestions for a tool here, but take a look at this old question if you need few pointers: Best PHP DAL (data abstraction layer) so far
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
I learned the following method to sanitize data
function sanitize($data)
{
return mysql_real_escape_string( $data);
}
Then the deprecation of some extension within mysql is becoming abit frustrating for beginners that did not know about it, however it is a learning experience to know PHP properly. It is recommended to use mysqli_real_escape_string instead and since this function requires 2 parameters, I have the following
function sanitize($data){
// 1. Create a database connection
$db = new mysqli('localhost','root','somepass','secured_login');
if($db->connect_errno){
$connect_error = 'Sorry, we are experiencing connection problems.';
die ($connect_error);
}
return htmlentities(strip_tags(mysqli_real_escape_string($db, $data)));
}
However, I have been getting the sense that many PHP programmers highly recommend using PDO method instead
My apology for such a long intro my question is... Is it safe to use the modified function sanitize where mysqli_real_escape_string is used instead mysql_real_escape_string?
if not!! then by using PDO I would need to learn OOP PHP instead of procedural. I hope I framed this question correctly. Is mixing both programming orientations (procedural and OOP) frowned upon.
What is the real advantage of using PDO in the longer? Thank you!
IMHO you have to learn how to use PDO driver to prevent an Headache by reinventing the wheel.
With a OOP driver like PDO you can also do cool stuffs simply by extending the class overring some method and changin few lines of code.
You can also play with dependency-injected PDO derived Objects.
You can change the type of you database by editing the PDO::engine variable.
Plus you can easily prevent SQL iniections of 1st type
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 9 years ago.
Improve this question
I haven't found anything that matches my situation...
I am using XAMPP, which has MySQL as a backend and PHP in the front (web) end. in the Administration screen of MySQL (phpMyAdmin) I can create and run SQL requests. There is also an option of "Bookmark this SQL Query: "
Suppose i save a "Bookmark SQL Query". Is it possible for PHP to reference this Bookmark SQL Query? or do I have to create that query in PHP. It would be easier to reference the Bookmarked query, rather than make the full SQL query
Thanks.
Thanks to those who understood the question. You are smarter than those to didn't.
PHPMyAdmin is simply a PHP application that interfaces with your database. Anything you save on it stays on it.
Your PHP application is completely different from PHPMyAdmin and unless you create such a feature, you cannot use it within your application.
If you create a SQL execution interface within your application, you can also create something like that to be able to re-use the query.
Hope the explanation makes sense and the answer helps.
No, I don't think it's possible, the feature you're talking about is a feature in the client application only. You should write the query in PHP. That way you don't have to rely on an external feature/query for the application to work either.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
i m working on a project about social networking website where speed optimization is very critical.
is PDO is FASTER ?
i am thinking to switch to PDO is it recommended for use PDO for such a site ?
I doubt using PDO or MySQLi will be bottleneck, though, if you ask for bechmarks, here they are (nothing serious, just couple of tests).
In general, using one or another is a matter of taste, and bottlenecks usually are somewhere else (e.g., queries, indexes, PHP code etc).
One thing you might consider is using some DB wrapper, i.e., class that uses either PDO or MySQLi, whichever you prefer. In your code, use this wrapper instead of using PDO or MySQLi directly. If you do this, you'll be able to switch between PDO, MySQLi or any other library by changing single class instead of changing all the code.
I did a mini benchmark on this a while back. Conclusion. PDO and MySQLi are very similar but the features in PDO are worth using.
http://cznp.com/blog/2/apples-and-oranges-mysqli-and-pdo