On Tue, May 27, 2014 at 7:35 AM, Brian J. Rogers <captbrog...@gmail.com> wrote:
> The mysql_* functions are being deprecated. So the recommendation is to use
> PDO. PDO's prepared statements will help sanitize your input, because even
> on an update/insert, a malicious user can still wreck havoc.
>
> Here is a slightly older article on it:
> https://code.tutsplus.com/tutorials/why-you-should-be-using-phps-pdo-for-database-access--net-12059

This appears to me to be the correct advice.

In general, you should not think about "sanitizing strings"; thinking
this way means you're misunderstanding the actual problem.  There's no
one true method of "sanitizing strings" because the way strings are
interpreted varies based on their destination rather than their
source.  What the PDO thing is doing is pushing the job of dealing
with the translation of "strings" to "SQL query data" to code that
understands how SQL interprets things.  This code can correctly
perform any escaping necessary, because it understands the destination
domain.  You should not think of SQL queries as "strings"; you should
think of them as data objects that happen to have a string-like
representation.  It's a type error (in theory, even if not actually
enforced by your language) to use a string as part of a query.  You
should also not think of HTML as "strings"; they're data objects that
also happen to have a string-like representation.  So user input
should pass through a process similar to PDO-parameterization in order
to build HTML objects from strings.  Even if the HTML is ultimated
*represented* in your language as a string!

Well-designed web frameworks, regardless of language, will provide
"string-to-X" builder functions like PDOs for all string-like data
such as programmatically-constructed SQL queries, HTML, or javascript.
 Furthermore, they'll do type checking (whether static or dynamic) to
ensure that it's an error to pass a normal string directly to
something that expects an SQL query, HTML, or Javascript.  I would
imagine that such things exist for PHP, though I've never really
looked into it myself.

        --Levi

/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/

Reply via email to