Hi Christopher
One other question. Our current site is written in jsp with Oracle. I'd like to 
use PHP. Do you have any thoughts on this?
We're not really using Jsp as it was intended ( like using classes ) and I 
think it has alot of overhead and is overkill. It seems Php would be a better 
choice for imbedded html. For the most part the site mainly consist of 
relatively simple db retrieval, for several of our products. Which then lists 
various documentation and reference material for each, all dynamic. And then we 
have a few very simple stand alone user input forms occasionally.
Oracle is the db on most of the site - a little mysql too.

--- On Fri, 11/7/08, Christopher Jones <[EMAIL PROTECTED]> wrote:

From: Christopher Jones <[EMAIL PROTECTED]>
Subject: Re: [PHP-DB] sql injections/best practises
Cc: php-db@lists.php.net
Date: Friday, November 7, 2008, 5:39 PM

mignon hunter wrote:
> I'm am trying to find some definitive best practises on database
connections with php on both mysql and oracle.
> I'm starting to redesign a corporate website and am trying to find out
more about security and the best practises for database queries and user input
form handling.
> For example - what's the best usage - prepared statements? And does it
have to be php 5? I need preferably a one stop shop as opposed to looking at
dozens of different places. Can you advise a particular book? Website?
> I have checked out the security area on the php manual and some users
notes - some were useful. But it didnt really have a lot of info and I dont
think it is comprehenive or all inclusive.
> Thanks in advance. PS I would like to switch the current site from jsp to
php. I was going to look into Zend IDE. Comments? Suggestions?
> thanks

PHP 5.2 is the way to go for new projects: PHP 4 isn't being

Binding/preparing statements is the way to go.  Here are quotes about
them with MySQL & Oracle

    "They are useful for speeding up execution when you are performing
    large numbers of the same query with different data.  They also
    protect against SQL injection-style attacks."  (From "PHP and
    MySQL Web Development", 4th Edition, Luke Welling and Laura

    "If I were to write a book about how to build nonscalable [note
    the NON] Oracle applications, then 'Don't Use Bind Variables'
    would be the title of the first and last chapters. [...] If you
    want to make Oracle run slowly [...] just refuse to use bind
    variables" (From "Expert Oracle Database Architecture", Tom

Depending on the site needs, consider a DB abstraction layer or a

For high performance connections in PHP OCI8 for Oracle, use
oci_pconnect() and pass the character set.

There are a number of Oracle-PHP books available.  One free,
introductory one is the "Underground PHP & Oracle Manual",
http://tinyurl.com/f8jad (A new edition will be released in the next
couple of weeks)


-- Email: [EMAIL PROTECTED]  Tel: +1 650 506 8630
Twitter:  http://twitter.com/ghrd    Free PHP Book: http://tinyurl.com/f8jad

-- PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


Reply via email to