[PHP-DB] sql injections/best practises

[mignon hunter]

I'm am trying to find some definitive best practises on database connections 
with php on both mysql and oracle. 
 
I'm starting to redesign a corporate website and am trying to find out more 
about security and the best practises for database queries and user input form 
handling.
 
For example - what's the best usage - prepared statements? And does it have to 
be php 5? I need preferably a one stop shop as opposed to looking at dozens of 
different places. Can you advise a particular book? Website?
 
I have checked out the security area on the php manual and some users notes - 
some were useful. But it didnt really have a lot of info and I dont think it is 
comprehenive or all inclusive.
 
Thanks in advance. PS I would like to switch the current site from jsp to php. 
I was going to look into Zend IDE. Comments? Suggestions?
 
thanks


  

Re: [PHP-DB] sql injections/best practises

[Christopher Jones]

mignon hunter wrote:
 I'm am trying to find some definitive best practises on database connections 
with php on both mysql and oracle.

 I'm starting to redesign a corporate website and am trying to find out more 
about security and the best practises for database queries and user input form 
handling.

 For example - what's the best usage - prepared statements? And does it have 
to be php 5? I need preferably a one stop shop as opposed to looking at dozens of 
different places. Can you advise a particular book? Website?

 I have checked out the security area on the php manual and some users notes - 
some were useful. But it didnt really have a lot of info and I dont think it is 
comprehenive or all inclusive.

 Thanks in advance. PS I would like to switch the current site from jsp to 
php. I was going to look into Zend IDE. Comments? Suggestions?

 thanks


PHP 5.2 is the way to go for new projects: PHP 4 isn't being
maintained.

Binding/preparing statements is the way to go.  Here are quotes about
them with MySQL  Oracle

They are useful for speeding up execution when you are performing
large numbers of the same query with different data.  They also
protect against SQL injection-style attacks.  (From PHP and
MySQL Web Development, 4th Edition, Luke Welling and Laura
Thomson)

If I were to write a book about how to build nonscalable [note
the NON] Oracle applications, then 'Don't Use Bind Variables'
would be the title of the first and last chapters. [...] If you
want to make Oracle run slowly [...] just refuse to use bind
variables (From Expert Oracle Database Architecture, Tom Kyte)

Depending on the site needs, consider a DB abstraction layer or a
framework.

For high performance connections in PHP OCI8 for Oracle, use
oci_pconnect() and pass the character set.

There are a number of Oracle-PHP books available.  One free,
introductory one is the Underground PHP  Oracle Manual,
http://tinyurl.com/f8jad (A new edition will be released in the next
couple of weeks)

Chris

--
Email: [EMAIL PROTECTED]  Tel: +1 650 506 8630
Twitter:  http://twitter.com/ghrdFree PHP Book: http://tinyurl.com/f8jad

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php