below are three versions of an SQL call along with escaping the passed value.

> $value=mysql_escape_string($_POST['value']);
> mysql_query('SELECT * FROM table WHERE field="'.$value.'"');

  + Fastest Code
  - Con: Bad Readability, Value needs to be escaped separately


> $value=mysql_escape_string($_POST['value']);
> mysql_query(sprintf('SELECT * FROM table WHERE field="%s"', $value));

  + Good Readability
  - Value needs to be escaped separately


sql_sprintf() is a custom version of sprintf() which automatically escapes all passed parameters.

> mysql_query(sql_sprintf('SELECT * FROM table WHERE field="%s"', $_POST['value']));

  + Good Readability, Value does not need to be escaped separately
  - Slowest Code

Up until now I have only used the first version for all SQL work I did. Now however I am seeking for a better and more abstracted solution. I did some quick tests (only for the string parsing, without actual SQL queries) and noticed that the performance (as expected) continually degrades by moving from the top code down the list. While the third version is probably the most secure one due to the fact that sql_sprintf() always checks for escape sequences, it is also the slowest. Especially when the same value is used multiple times because then it is (unnecessarily) escaped again and again for each call, whereas the second version only escapes it once. THIS however is at the same time the big advantage of the third code, because the developer does not need to escape the data manually.

Now my question is, what would be a good/the best compromise respectively are there any other solutions for this particular issue?


PS: All this code is considered to run under magic_quotes_gpc OFF.

PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to