>> This is an interesting conversation, so I'm glad it got brought up,but I >> find myself curious: Are you actually trying to avoid PDO, or just trying >> to learn how the security actually works?
Well, It's a learning process. my point is this... If I can make it safe and sound without the PDO, then I really got to the bottom of it. Because once you reach there and I would be in a much better shape cause at the end, I will still use PDO level. PDO is not safe. I should say, it is not SAFE ENOUGH. You are still vulnerable with PDO as well. Cause PDO still requires you to validate your input. If you don't do a good job at it, then you are using PDO as a drug. You have to go down to bottom of it and that's validating the darn user input. Well, if you validate your input well, then one can turn the question around and ask, then why use PDO? It's not going to make it any safer! It was already so. The danger with the PDO articles... Using/or Recommending PDO without the nitty/gritty details of how important it is to validate your input is unfortunately leading people ( unexp. dev ) into thinking that it's a safer method, therefore they can go relax at certain things and PDO will cover them. I think one should try to make his data secure, first and foremost - without *relying* PDO to take care of things. Therefore, we should learn the crux of the matter. By that, I mean all that multibyte and GPK Greek and some other weird char sets that one should be aware of and what to do to really safe guard the databases against all kinds of user data. Only then and only then, one should START thinking about using PDO. http://stackoverflow.com/questions/134099/are-pdo-prepared-statements-sufficient-to-prevent-sql-injection That's why I started this thread. On Tue, Jan 17, 2012 at 4:39 AM, Andy McKenzie <amckenz...@gmail.com> wrote: > On Mon, Jan 16, 2012 at 10:34 PM, Haluk Karamete > <halukkaram...@gmail.com> wrote: >> I understand some ways are better than others in this one, and it >> looks like the PDO based implementations shine the most as far as SQL >> Injection. >> >> But would not the following be good enough - without implementing a >> PDO solution? >> >> .... > > > This is an interesting conversation, so I'm glad it got brought up, > but I find myself curious: Are you actually trying to avoid PDO, or > just trying to learn how the security actually works? > > Personally, my decision was that I could spend a lot of time learning > all the ins and outs, or I could just use PDO and some basic input > validation, and be more-or-less secure. I'm sure there are cases > where that's not sensible, but it's always worked for me. > > -Andy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
