Brian Moon wrote:
> Mathieu CARBONNEAUX wrote:
>> but i think some good security idea have been said, for exemple using
>> "prepare statement" to avoid sql injection...
>
> We really need to stop spreading this myth that prepared statements are
> a security measure. Prepared statements only allow passing of the value
> parts of where clauses and a couple of other parts of the query. Limit
> values would be the most common thing in a query that use variables but
> are the not allowed to be prepared. I have also seen plenty of
> applications that use variables for the table names, field names, order
> by, and other parts. Prepared statements help with none of those.
> Prepared statements protect very little against sql injection. Making
> people believe otherwise is dangerous.
>
Limits, table names, and several other query parts are protected by
MediaWiki's query builder. A complex select query might look like this:
$result = $db->select(
# Tables
array( 'user', 'revision' ),
# Fields
array( 'user_name', 'rev_timestamp' ),
# Conditions (WHERE)
array(
'user_id=rev_user',
'rev_page' => $page_id
),
# Query tag, goes into a comment in the SQL
__METHOD__,
# Options
array(
'LIMIT' => 10,
'ORDER BY' => 'rev_timestamp DESC',
)
);
It even has some degree of DBMS-independence, thanks to creative
interpretation of the options parameter. This is what I would like to see
in the PHP core.
-- Tim Starling
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
