[ciapug] On or Off ...

Dave J. Hala Jr. dave at 58ghz.net
Tue Aug 9 08:11:11 CDT 2005 

Did you take a look at Mysql 5?  I believe (I'm fairly sure) that it has
this ability.



On Mon, 2005-08-08 at 21:05, Carl Olsen wrote:
> Is a prepared statement the same thing as a stored procedure?  It's my
> understanding that MySQL doesn't support them, which is why I've been using
> PostgreSQL on my personal site (www.carl-olsen.com).  I know that the PEAR
> DB functions support PostgreSQL.  I write stored procedures in PostgreSQL
> using PL/pgsql and then make a class of functions that simply converts the
> stored procedures to parameterized functions, with field names becoming the
> properties and the add, update, and delete queries becoming the methods.
> I'm not exactly sure if this protects me against SQL injection attacks, but
> I'm thinking it does, since each parameter is fed into an input parameter
> inside the stored procedure before anything happens.  I don't do any kind of
> checking for single or double quotes.  Have I got this right, or should I be
> laundering the user input as well?
> 
> Carl
> 
> -----Original Message-----
> From: ciapug-bounces at cialug.org [mailto:ciapug-bounces at cialug.org] On Behalf
> Of Tony Bibbs
> Sent: Monday, August 08, 2005 10:55 AM
> To: ciapug at cialug.org
> Cc: cjh at raccoon.com
> Subject: Re: [ciapug] On or Off ...
> 
> For security reasons register_globals should be turned off, though as 
> Dave mentioned, many older PHP apps require them.
> 
> I prefer magic quotes to be turned off as well but that's simply because 
> we use creole for database abstraction and it handles the quotes for us. 
>   We've seen issues where PHP code gets ugly when you have a bunch of 
> addslashes/stripslashes so it's best to leave that to something else 
> (like you abstraction layer).
> 
> Similarly PEAR::DB supports prepared statements which, if used, get you 
> out of the business of worrying about quotes.
> 
> --Tony
> 
> Dave J. Hala Jr. wrote:
> > Register globals off, is prefferred, unless you have some old php apps
> > that didn't make use of $_POST  when posting variables.
> > 
> > I believe globals off is now the default. You'll know right away if you
> > got apps that require globals on. :)
> > 
> > If you do, you may want to consider putting them on your list of apps
> > that to be "phased out/rewrote" etc.
> > 
> > :) Dave
> > 
> > 
> > On Mon, 2005-08-08 at 09:34, Chris Hettinger wrote:
> > 
> >>magic_quotes_gpc and register_globals .... On or Off ??
> >>
> >>I believe that, and correct me if I am wrong, most will say Magic Quotes
> >>= On and Registered Globals = Off.
> >>
> >>Arguements one way or the other?
> >>
> >>-ch
> >>
> >>
> >>
> >>_______________________________________________
> >>ciapug mailing list
> >>ciapug at cialug.org
> >>http://cialug.org/mailman/listinfo/ciapug
> _______________________________________________
> ciapug mailing list
> ciapug at cialug.org
> http://cialug.org/mailman/listinfo/ciapug
> 
> 
> _______________________________________________
> ciapug mailing list
> ciapug at cialug.org
> http://cialug.org/mailman/listinfo/ciapug
-- 

Open Source Information Systems (OSIS)
Dave J. Hala Jr. <dave at osis.us>
641.485.1606

More information about the ciapug mailing list