Home > mailing lists

Re: PHP sucks!! - was: persistent db connections in PHP - Mailing list pgsql-general

From	Erick Papadakis
Subject	Re: PHP sucks!! - was: persistent db connections in PHP
Date	June 16, 2007 21:39:38
Msg-id	e9e8f77d0706161439i796e17bfo2a113a646b6808d7@mail.gmail.com Whole thread Raw
In response to	Re: PHP sucks!! - was: persistent db connections in PHP (PFC <lists@peufeu.com>)
List	pgsql-general

Tree view

On 6/17/07, PFC <lists@peufeu.com> wrote:
>  I either use pg_query_params() which automagically handles all quoting,
> or an ORM which does the same.
>  There is no reason to include strings in SQL statements except laziness.
>  MySQL does not have a mysql_query_params() for PHP, so you have to write
> one, it's pretty simple.


Take your pick:

- Quotemeta
- Addslashes
- Htmlentities($string, 'utf-8')
- Magic_quotes in the INI
- Anti-XSS code (several available online)


> Python's (and perl) strength in this respect is that they make it easier
> to use the safe solution, ie, query( "sql with ? or $1 or %s", arg, arg, arg )


$sql = '"select column from table where field = '%s';
$sql = sprintf($sql, $submittedvariable);
..


> PEAR::DB is horrendous.
>

And hugely unnecessary.

EP

pgsql-general by date:

From: "Erick Papadakis"
Date: 16 June 2007, 21:34:11
Subject: Re: PHP sucks!! - was: persistent db connections in PHP

From: Martijn van Oosterhout
Date: 16 June 2007, 21:50:14
Subject: Re: about cursors

Re: PHP sucks!! - was: persistent db connections in PHP - Mailing list pgsql-general

Previous

Next