Re: [PHP] Re: Secure data management

2011-10-07 Thread Paul M Foster
On Fri, Oct 07, 2011 at 12:46:52AM -0400, Govinda wrote: http://stut.net/2011/09/15/mysql-real-escape-string-is-not-enough/ Hi everyone I have read many many articles and blog posts in the last few days to bolster my (still mostly newbie) understanding of the factors that play in to

Re: [PHP] Re: Secure data management

2011-10-07 Thread Govinda
There is more to SQL injection than getting the quoting correct. In my understanding, prepared statements handles the other problems associated with queries and SQL injection beyond just quoting. Here's a good tutorial on how this works: http://www.youtube.com/watch?v=bORZlmyDw0s Paul,

Re: [PHP] Re: Secure data management

2011-10-06 Thread Govinda
http://stut.net/2011/09/15/mysql-real-escape-string-is-not-enough/ Hi everyone I have read many many articles and blog posts in the last few days to bolster my (still mostly newbie) understanding of the factors that play in to preventing various methods of SQL injection prevention.. and by

Re: [PHP] Re: Secure data management

2011-10-05 Thread Tommy Pham
On Tue, Oct 4, 2011 at 8:01 PM, Jeremiah Dodds jeremiah.do...@gmail.comwrote: On Tue, Oct 4, 2011 at 9:25 PM, Tommy Pham tommy...@gmail.com wrote: There would be a difference in performance since the the expression has to be reevaluated, including the function FROM_BASE, every time versus

Re: [PHP] Re: Secure data management

2011-10-05 Thread Mark Kelly
Hi. On Wednesday 05 Oct 2011 at 00:04 Mark Kelly wrote: I'd be interested in any ideas folk have about these issues, or any others they can envisage with this proposal. Thank you all for joining in here - it's been a fascinating read so far. Mark -- PHP General Mailing List

Re: [PHP] Re: Secure data management

2011-10-04 Thread Stuart Dallas
On 4 Oct 2011, at 20:30, Shawn McKenzie wrote: On 10/04/2011 02:23 PM, Jim Giner wrote: I thought I knew how to do this. I have a form that collects some data fields. My script checks if magic quotes are off and (since they are) executes addslashes on each input field. Then I run a

Re: [PHP] Re: Secure data management

2011-10-04 Thread Mark Kelly
Hi. On Tuesday 04 Oct 2011 at 21:39 Stuart Dallas wrote: http://stut.net/2011/09/15/mysql-real-escape-string-is-not-enough/ Thanks. I followed this link through and read the full message (having missed it the first time round), and while I find the idea of using base64 to sanitise text

Re: [PHP] Re: Secure data management

2011-10-04 Thread Stuart Dallas
On 5 Oct 2011, at 00:04, Mark Kelly wrote: Hi. On Tuesday 04 Oct 2011 at 21:39 Stuart Dallas wrote: http://stut.net/2011/09/15/mysql-real-escape-string-is-not-enough/ Thanks. I followed this link through and read the full message (having missed it the first time round), and while I

Re: [PHP] Re: Secure data management

2011-10-04 Thread Tommy Pham
On Tue, Oct 4, 2011 at 4:11 PM, Stuart Dallas stu...@3ft9.com wrote: On 5 Oct 2011, at 00:04, Mark Kelly wrote: Hi. On Tuesday 04 Oct 2011 at 21:39 Stuart Dallas wrote: http://stut.net/2011/09/15/mysql-real-escape-string-is-not-enough/ Thanks. I followed this link through and read

Re: [PHP] Re: Secure data management

2011-10-04 Thread Stuart Dallas
On 5 Oct 2011, at 00:45, Tommy Pham wrote: On Tue, Oct 4, 2011 at 4:11 PM, Stuart Dallas stu...@3ft9.com wrote: On 5 Oct 2011, at 00:04, Mark Kelly wrote: Hi. On Tuesday 04 Oct 2011 at 21:39 Stuart Dallas wrote: http://stut.net/2011/09/15/mysql-real-escape-string-is-not-enough/

Re: [PHP] Re: Secure data management

2011-10-04 Thread Tommy Pham
On Tue, Oct 4, 2011 at 4:49 PM, Stuart Dallas stu...@3ft9.com wrote: On 5 Oct 2011, at 00:45, Tommy Pham wrote: On Tue, Oct 4, 2011 at 4:11 PM, Stuart Dallas stu...@3ft9.com wrote: On 5 Oct 2011, at 00:04, Mark Kelly wrote: Hi. On Tuesday 04 Oct 2011 at 21:39 Stuart Dallas wrote:

Re: [PHP] Re: Secure data management

2011-10-04 Thread Stuart Dallas
On 5 Oct 2011, at 01:13, Tommy Pham wrote: On Tue, Oct 4, 2011 at 4:49 PM, Stuart Dallas stu...@3ft9.com wrote: On 5 Oct 2011, at 00:45, Tommy Pham wrote: On Tue, Oct 4, 2011 at 4:11 PM, Stuart Dallas stu...@3ft9.com wrote: On 5 Oct 2011, at 00:04, Mark Kelly wrote: Hi. On Tuesday

Re: [PHP] Re: Secure data management

2011-10-04 Thread Tommy Pham
On Tue, Oct 4, 2011 at 5:51 PM, Stuart Dallas stu...@3ft9.com wrote: On 5 Oct 2011, at 01:13, Tommy Pham wrote: On Tue, Oct 4, 2011 at 4:49 PM, Stuart Dallas stu...@3ft9.com wrote: On 5 Oct 2011, at 00:45, Tommy Pham wrote: On Tue, Oct 4, 2011 at 4:11 PM, Stuart Dallas stu...@3ft9.com

Re: [PHP] Re: Secure data management

2011-10-04 Thread Jeremiah Dodds
On Tue, Oct 4, 2011 at 7:51 PM, Stuart Dallas stu...@3ft9.com wrote: As for the overhead I very much doubt there's much difference between that and the overhead of prepared statements. Probably not. As an aside, I'm really struggling to find a case where it'd be worth base64-encoding the

Re: [PHP] Re: Secure data management

2011-10-04 Thread Stuart Dallas
On 5 Oct 2011, at 02:02, Tommy Pham wrote: On Tue, Oct 4, 2011 at 5:51 PM, Stuart Dallas stu...@3ft9.com wrote: On 5 Oct 2011, at 01:13, Tommy Pham wrote: On Tue, Oct 4, 2011 at 4:49 PM, Stuart Dallas stu...@3ft9.com wrote: On 5 Oct 2011, at 00:45, Tommy Pham wrote: On Tue, Oct 4,

Re: [PHP] Re: Secure data management

2011-10-04 Thread Tommy Pham
On Tue, Oct 4, 2011 at 6:07 PM, Jeremiah Dodds jeremiah.do...@gmail.comwrote: On Tue, Oct 4, 2011 at 7:51 PM, Stuart Dallas stu...@3ft9.com wrote: As for the overhead I very much doubt there's much difference between that and the overhead of prepared statements. Probably not. As an aside,

Re: [PHP] Re: Secure data management

2011-10-04 Thread Jeremiah Dodds
On Tue, Oct 4, 2011 at 8:10 PM, Stuart Dallas stu...@3ft9.com wrote: Prepared statements incur an additional hit against the DB server to prepare the statement. But only once, right? This could, of course, still be a downside depending the nature of your app. -- PHP General Mailing List

Re: [PHP] Re: Secure data management

2011-10-04 Thread Stuart Dallas
On 5 Oct 2011, at 02:07, Jeremiah Dodds wrote: On Tue, Oct 4, 2011 at 7:51 PM, Stuart Dallas stu...@3ft9.com wrote: As for the overhead I very much doubt there's much difference between that and the overhead of prepared statements. Probably not. As an aside, I'm really struggling to find a

Re: [PHP] Re: Secure data management

2011-10-04 Thread Jeremiah Dodds
On Tue, Oct 4, 2011 at 8:15 PM, Tommy Pham tommy...@gmail.com wrote: On Tue, Oct 4, 2011 at 6:07 PM, Jeremiah Dodds jeremiah.do...@gmail.com wrote: On Tue, Oct 4, 2011 at 7:51 PM, Stuart Dallas stu...@3ft9.com wrote:  As for the overhead I very much doubt there's much difference between

Re: [PHP] Re: Secure data management

2011-10-04 Thread Stuart Dallas
On 5 Oct 2011, at 02:16, Jeremiah Dodds wrote: On Tue, Oct 4, 2011 at 8:10 PM, Stuart Dallas stu...@3ft9.com wrote: Prepared statements incur an additional hit against the DB server to prepare the statement. But only once, right? This could, of course, still be a downside depending the

Re: [PHP] Re: Secure data management

2011-10-04 Thread Tommy Pham
On Tue, Oct 4, 2011 at 6:10 PM, Stuart Dallas stu...@3ft9.com wrote: On 5 Oct 2011, at 02:02, Tommy Pham wrote: On Tue, Oct 4, 2011 at 5:51 PM, Stuart Dallas stu...@3ft9.com wrote: On 5 Oct 2011, at 01:13, Tommy Pham wrote: On Tue, Oct 4, 2011 at 4:49 PM, Stuart Dallas stu...@3ft9.com

Re: [PHP] Re: Secure data management

2011-10-04 Thread Jeremiah Dodds
On Tue, Oct 4, 2011 at 9:25 PM, Tommy Pham tommy...@gmail.com wrote: There would be a difference in performance since the the expression has to be reevaluated, including the function FROM_BASE, every time versus one time evaluation of prepared statement. This is true, but it should be pointed