Re: [PHP-DB] SQL Injection
On 16/05/15 10:00, Karl DeSaulniers wrote: That does clarify things a bit better on both the @ question and prepared statements. Thank you for the link as well. So new question.. what is the best type of database to use for someone who wants to start small and grow big? My findings led me to MySQL InnoDB. I'm somewhat biased since much of my data goes back to a time before MySQL even existed. Using Interbase which is now open source as Firebird. Early versions of MySQL were never stable enough to use in the environments I work, and while Postgres was also appearing on the radar, I've no reason to change. Little things like being able to run backups automatically even if I've never actually had to use one. And some SQL functions available in Firebird have yet to appear in other engines, and having to decide if you want the security InnoDB provides is simply standard in other engines. The first question is are you hosting yourself or using third party hosting? MySQL tends to be available on all third party posting, with some providing Postgres, while Firebird tends to be privately hosted. If you are hosting yourself, then of cause MySQL may actually be MariaDB and you end up with a mix of sources. It's a bit like Internbase and Firebird where the commercial charges can affect one installation where the other is totally free. If you are only looking for a single installation, then MySQL is probably fine. I'm running 50+ databases and with Firebird each is isolated in it's own directory and automatically backs up to the website storage area. -- Lester Caine - G8HFL - Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk Rainbow Digital Media - http://rainbowdigitalmedia.co.uk -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] SQL Injection
On May 16, 2015, at 8:42 AM, Lester Caine les...@lsces.co.uk wrote: On 16/05/15 10:00, Karl DeSaulniers wrote: That does clarify things a bit better on both the @ question and prepared statements. Thank you for the link as well. So new question.. what is the best type of database to use for someone who wants to start small and grow big? My findings led me to MySQL InnoDB. I'm somewhat biased since much of my data goes back to a time before MySQL even existed. Using Interbase which is now open source as Firebird. Early versions of MySQL were never stable enough to use in the environments I work, and while Postgres was also appearing on the radar, I've no reason to change. Little things like being able to run backups automatically even if I've never actually had to use one. And some SQL functions available in Firebird have yet to appear in other engines, and having to decide if you want the security InnoDB provides is simply standard in other engines. The first question is are you hosting yourself or using third party hosting? MySQL tends to be available on all third party posting, with some providing Postgres, while Firebird tends to be privately hosted. If you are hosting yourself, then of cause MySQL may actually be MariaDB and you end up with a mix of sources. It's a bit like Internbase and Firebird where the commercial charges can affect one installation where the other is totally free. If you are only looking for a single installation, then MySQL is probably fine. I'm running 50+ databases and with Firebird each is isolated in it's own directory and automatically backs up to the website storage area. -- Lester Caine - G8HFL - Interesting. I program in MySQL on a hosting plan by a third party. I have heard/read MySQL is not an enterprise solution, but for the basic business with say less than 100,000 customers, it does the job and well. Larger than that I had hear Postgres and oracle were good to look at. Havent heard any good things about SQL server (.NET), but did't have too much trouble working with one a few years back. I guess I don't know enough about what is available to do with a good database and which to pick to do what I want with. There are so many. Hence my question here. Again, thanks for your response. Best, Karl DeSaulniers Design Drumm http://designdrumm.com -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] SQL Injection
On 16/05/15 14:51, Karl DeSaulniers wrote: Interesting. I program in MySQL on a hosting plan by a third party. I have heard/read MySQL is not an enterprise solution, but for the basic business with say less than 100,000 customers, it does the job and well. Larger than that I had hear Postgres and oracle were good to look at. Havent heard any good things about SQL server (.NET), but did't have too much trouble working with one a few years back. I guess I don't know enough about what is available to do with a good database and which to pick to do what I want with. There are so many. Hence my question here. That probably sums up 'hosted' plans. The number of available database engines has declined in recent years, and where a site 'outgrows' MySQL, there are a few custom developments, but bottom line ... there is not a single obvious answer ;) -- Lester Caine - G8HFL - Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk Rainbow Digital Media - http://rainbowdigitalmedia.co.uk -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] SQL Injection
On 15/05/15 06:21, Karl DeSaulniers wrote: Oh ok. Now it makes a little more sense. I have worked in ASP before, but I am programming in PHP and MySQL at the moment. I am going to look into Prepared Statements. Thanks for your feedback. Just to clarify things a little here and explain http://php.net/manual/en/pdo.prepared-statements.php a little more ... Many of the legacy injection problems where/are caused by building up the query as a fully self contained string. Various methods like 'magic_quotes' and wrapping $var in things like makesafe($var) were the only way some database engines could handle adding variables to the SQL string and much code still follows that style even today. Other database engines have always had the ability to pass the variables as a separate array of data, and the @x is more normally seen as a simple ? in the SQL string, so PDO and other frameworks map the ':var' elements of the first example to the relevant style used by the database. Actually naming parameters is not the norm, so one has to have the right number of '?' elements to go with the array of data passed, so PDO is adding a layer of code which hides the underlying execute(sql_query, array_of_data); -- Lester Caine - G8HFL - Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk Rainbow Digital Media - http://rainbowdigitalmedia.co.uk -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] SQL Injection
On May 16, 2015, at 3:51 AM, Lester Caine les...@lsces.co.uk wrote: On 15/05/15 06:21, Karl DeSaulniers wrote: Oh ok. Now it makes a little more sense. I have worked in ASP before, but I am programming in PHP and MySQL at the moment. I am going to look into Prepared Statements. Thanks for your feedback. Just to clarify things a little here and explain http://php.net/manual/en/pdo.prepared-statements.php a little more ... Many of the legacy injection problems where/are caused by building up the query as a fully self contained string. Various methods like 'magic_quotes' and wrapping $var in things like makesafe($var) were the only way some database engines could handle adding variables to the SQL string and much code still follows that style even today. Other database engines have always had the ability to pass the variables as a separate array of data, and the @x is more normally seen as a simple ? in the SQL string, so PDO and other frameworks map the ':var' elements of the first example to the relevant style used by the database. Actually naming parameters is not the norm, so one has to have the right number of '?' elements to go with the array of data passed, so PDO is adding a layer of code which hides the underlying execute(sql_query, array_of_data); -- Lester Caine - G8HFL - Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk Rainbow Digital Media - http://rainbowdigitalmedia.co.uk Thank you Lester. That does clarify things a bit better on both the @ question and prepared statements. Thank you for the link as well. So new question.. what is the best type of database to use for someone who wants to start small and grow big? My findings led me to MySQL InnoDB. Best, Karl DeSaulniers Design Drumm http://designdrumm.com -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
