[ciapug] On or Off ...

Carl Olsen carl-olsen at mchsi.com
Mon Aug 8 21:05:45 CDT 2005 

Is a prepared statement the same thing as a stored procedure?  It's my
understanding that MySQL doesn't support them, which is why I've been using
PostgreSQL on my personal site (www.carl-olsen.com).  I know that the PEAR
DB functions support PostgreSQL.  I write stored procedures in PostgreSQL
using PL/pgsql and then make a class of functions that simply converts the
stored procedures to parameterized functions, with field names becoming the
properties and the add, update, and delete queries becoming the methods.
I'm not exactly sure if this protects me against SQL injection attacks, but
I'm thinking it does, since each parameter is fed into an input parameter
inside the stored procedure before anything happens.  I don't do any kind of
checking for single or double quotes.  Have I got this right, or should I be
laundering the user input as well?

Carl

-----Original Message-----
From: ciapug-bounces at cialug.org [mailto:ciapug-bounces at cialug.org] On Behalf
Of Tony Bibbs
Sent: Monday, August 08, 2005 10:55 AM
To: ciapug at cialug.org
Cc: cjh at raccoon.com
Subject: Re: [ciapug] On or Off ...

For security reasons register_globals should be turned off, though as 
Dave mentioned, many older PHP apps require them.

I prefer magic quotes to be turned off as well but that's simply because 
we use creole for database abstraction and it handles the quotes for us. 
  We've seen issues where PHP code gets ugly when you have a bunch of 
addslashes/stripslashes so it's best to leave that to something else 
(like you abstraction layer).

Similarly PEAR::DB supports prepared statements which, if used, get you 
out of the business of worrying about quotes.

--Tony

Dave J. Hala Jr. wrote:
> Register globals off, is prefferred, unless you have some old php apps
> that didn't make use of $_POST  when posting variables.
> 
> I believe globals off is now the default. You'll know right away if you
> got apps that require globals on. :)
> 
> If you do, you may want to consider putting them on your list of apps
> that to be "phased out/rewrote" etc.
> 
> :) Dave
> 
> 
> On Mon, 2005-08-08 at 09:34, Chris Hettinger wrote:
> 
>>magic_quotes_gpc and register_globals .... On or Off ??
>>
>>I believe that, and correct me if I am wrong, most will say Magic Quotes
>>= On and Registered Globals = Off.
>>
>>Arguements one way or the other?
>>
>>-ch
>>
>>
>>
>>_______________________________________________
>>ciapug mailing list
>>ciapug at cialug.org
>>http://cialug.org/mailman/listinfo/ciapug
_______________________________________________
ciapug mailing list
ciapug at cialug.org
http://cialug.org/mailman/listinfo/ciapug

More information about the ciapug mailing list