php-general Digest 23 Jan 2012 08:08:44 -0000 Issue 7661
Topics (messages 316354 through 316354):
Re: sql injection protection
316354 by: marco.behnke.biz
Administrivia:
To subscribe to the digest, e-mail:
php-general-digest-subscr...@lists.php.net
To unsubscribe from the digest, e-mail:
php-general-digest-unsubscr...@lists.php.net
To post to the list, e-mail:
php-gene...@lists.php.net
----------------------------------------------------------------------
--- Begin Message ---
Haluk Karamete <halukkaram...@gmail.com> hat am 20. Januar 2012 um 20:56
geschrieben:
> Do we all agree on that? It's a plain YES or NO question right here.
No, I do not agree.
1) There is no sense in cleaning up all arrays using mysql escape. This one
is for escaping BEFORE using it in a query. Why should I alter all my
get/post data, if not all data is passed to sql?
2) Think about big post arrays and consider 1) Why should I waste CPU time
to escape all my data, even if not all data is used in sql?
3) The approach you try to re-invent here is already known, take a look at
the php docs by searching for filter extension
4) What is the sense in connecting to a database at the begin of every
script? What if the script will not use it, because of data validation
failed? You wated a mysql connection on that.
There are many more reasons, and I am sure there will be follow ups on
that.
Si it's a plain NO from me.
Marco Behnke
Dipl. Informatiker (FH), SAE Audio Engineer Diploma
Zend Certified Engineer PHP 5.3
Tel.: 0174 / 9722336
e-Mail: ma...@behnke.biz
Softwaretechnik Behnke
Heinrich-Heine-Str. 7D
21218 Seevetal
http://www.behnke.biz
--- End Message ---
