All of my PHP/MySQL stuff was done years ago, and I used "good practices" at the time. Things have changed, and it's past time to get up to speed on mysqli, PDO, sessions, etc. All my projects to date have been private, hobby things that "outsiders" didn't have access to. That's about to change -- well, if I can ever get this stuff figured out.
I've been digging around on the web for several weeks now, and I don't feel like I've made much in the way of progress as regards prepared statements and mysqli and SQL injection and PDO and XSS attacks and OOP -- did manage to get a handle on full-text search, sessions, and sanitizing and validating user input, though. ;-) But mostly I feel like I'm just going around in circles. Every time I think, "Okay, I'm going to do it THIS way!" I run into a problem, Google for the solution, and find lots of different solutions, or problems, relating to things that I thought I had already resolved. Lots of RTFM hours invested, but still unsure about where to go from here. I've tried to figure out OOP a few times in the past, and it just makes my eyes bleed and my brain hurt. I can't seem to grasp it at all. I'm pretty sure I'm not stupid -- maybe it's because I stored my first BASIC program on a cassette tape? But . . . PDO is OOP? And mysqli is OOP or procedural -- but PDO is the better solution? Either way, I just can't figure out how to convert some of my mysql queries to either one. I found, of course, oodles of info on the web. I check dates to make sure it's current, but they're sneaky -- one tutorial I found from 2012 seemed pretty good until the author recommended using mysql_real_escape_string, and even *I* knew that wasn't right -- getting rid of that usage is one of the reasons I started digging around in the first place. Reading down through the comments, I found it was a re-post of a 2006 article, but, interestingly enough, while they discussed several other recommendations, not a single commenter mentioned the mysql_real_escape_string issue. I know how to Google -- but I can't always tell if what I'm finding is really "it" or just another load of . . . misinformation. Who are the REAL authorities on this stuff? I like books, too, since I don't want to spend all my time in front of a screen -- but the expense would require limiting them to just one or two -- I want to get the "right" ones. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php