1. Contracting
    1. General
      1. Brexit
    2. Business / Contracts
      1. Coronavirus Assistance
    3. Accounting / Legal
      1. Umbrella Companies
      2. HMRC Scheme Enquiries
      3. The Future of Contracting
      4. IR35 Reform
    4. Technical
    5. Welcome / FAQs
  2. Social
    1. Light Relief
    2. Social / Events
  • Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

Reply to: Why is the DB on this forum so dodgy?

Collapse

You are not logged in or you do not have permission to access this page. This could be due to one of several reasons:

  • You are not logged in. If you are already registered, fill in the form below to log in, or follow the "Sign Up" link to register a new account.
  • You may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
  • If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.

Previously on "Why is the DB on this forum so dodgy?"

Collapse
  • Dundeegeorge
    replied
    All very interesting indeed

    but where's the abuse?
    Or at least a picture of some tits? (cue the hysterical pictures of parus major)

    Leave a comment:

  • TheMonkey
    replied
    Yeah the mysqli extension does that using recent mysql client libs. Only problem is that 90% of crappy php web hosts don't use it.

    mysql_escape_string IS safe. I've read the source code!

    Leave a comment:

  • Cowboy Bob
    replied
    Originally posted by bogeyman
    Do you mean that strings should never be passed through, and the query should be abstracted from the actual SQL call - if so, I entirely agree.

    To illustrate...

    If an app needs to return a record for a an Engineering Part, let's say, then the app should provide a GetPartRecordByNo(string partNo) method.

    Rather than GetWhateverIWant("SELECT * FROM TABLE_PARTS");

    It's only right!
    Nope. It should be something like this - in whatever syntax you prefer:-

    Code:
    PreparedStatement stmt = connection.prepareStatement("select * from table_parts where partNo = ?");
stmt.setString(1, partNo);
stmt.execute();
    This leaves the string escaping to the DB itself, which is a much better way of doing things as it is more likely to know what's best.

    Leave a comment:

  • Cowboy Bob
    replied
    Originally posted by TheMonkey
    I use PHP quite regularly. My code DOES escape strings, but safely:

    Code:
    	/**
	 * Login and set cookie etc.
	 */
	function security_login($email_address, $password, $remember_me) {
		$sql = sprintf("SELECT user_id FROM user WHERE email_address = '%s' AND password = MD5('%s');", 
			mysql_escape_string($email_address), 
			mysql_escape_string($password));
		print_r($this->database->querySingleRow($sql));
	}
    Note - that is seriously unfinished part of the app's API.
    Ding, you're a winner!!! You should never escape strings to pass into DB queries - it's inherantly unsafe with regards to SQL injection. I know you're going to say that the mysql_escape_string escapes the string to make it safe, but how do you know it catches ALL eventualities? It's such a weak point, don't trust it. There are better ways. You should always use parameterized queries. I understand PHP has something called PearDB that can do this. A PreparedStatement is what it's called in the Java world.

    Leave a comment:

  • TheMonkey
    replied
    I use PHP quite regularly. My code DOES escape strings, but safely:

    Code:
    	/**
	 * Login and set cookie etc.
	 */
	function security_login($email_address, $password, $remember_me) {
		$sql = sprintf("SELECT user_id FROM user WHERE email_address = '%s' AND password = MD5('%s');", 
			mysql_escape_string($email_address), 
			mysql_escape_string($password));
		print_r($this->database->querySingleRow($sql));
	}
    Note - that is seriously unfinished part of the app's API.

    Leave a comment:

  • bogeyman
    replied
    Originally posted by Cowboy Bob
    I've yet to meet any other sort. Just look here - http://thedailywtf.com/forums/thread/87226.aspx - where they're all banging on about using escaped strings to pass into SQL statements. And these guys nearly all seem to think they're experts.

    (If you have to question why escaping strings is bad, put yourself into the aforementioned category).
    Do you mean that strings should never be passed through, and the query should be abstracted from the actual SQL call - if so, I entirely agree.

    To illustrate...

    If an app needs to return a record for a an Engineering Part, let's say, then the app should provide a GetPartRecordByNo(string partNo) method.

    Rather than GetWhateverIWant("SELECT * FROM TABLE_PARTS");

    It's only right!

    Leave a comment:

  • AtW
    replied
    I view strings as array of bytes, do I need to escape numbers too?

    Leave a comment:

  • Cowboy Bob
    replied
    Originally posted by TheMonkey
    crappy PHP developers
    I've yet to meet any other sort. Just look here - http://thedailywtf.com/forums/thread/87226.aspx - where they're all banging on about using escaped strings to pass into SQL statements. And these guys nearly all seem to think they're experts.

    (If you have to question why escaping strings is bad, put yourself into the aforementioned category).

    Leave a comment:

  • AtW
    replied
    Yes, crappy developer do not write set matching in assembly, amateurs.

    Leave a comment:

  • TheMonkey
    replied
    Let's help people understand MySQL a little better and jump to it's defense a little...

    - It has referential integrity.
    - It has programmable constraints
    - It has stored procedures
    - It has views.
    - It has replication.
    - It has a tiered security architecture.
    - It has full text indexing that works REALLY well.
    - It does ANSI SQL.
    - It is extremely fast.
    - It runs on more platforms than any other RDBMS.
    - It has decent development tools.
    - It is cheap as in £0
    - It is easy to install and use.
    - It has a clustering facility.
    - It has good documentation.
    - It has .Net providers, JDBC providers, ODBC providers and modules for almost every scripting language on the planet.

    99% of MySQL's problems are the crappy PHP developers who insist on backwards compatibility with version 4.1 and below.
    Last edited by TheMonkey; 23 August 2006, 15:50.

    Leave a comment:

  • hyperD
    replied
    Originally posted by ferret
    Apologies if the forum outages caused you to do any work, we know this is inexcusable and we will be working hard to make sure you are not distracted by work again in the future.
    LOL! Yes, quite impressed with the last hour - you must do more of that outage please!!

    One small thing, Mr Ferret: the emoticons seem to render every time when you get to the reply/add new post page.

    Any chance of caching them because until they've rendered, the Toolbar buttons seem to create a JavaScript error if you click on them prematurely?

    Leave a comment:

  • bogeyman
    replied
    Originally posted by Cowboy Bob
    Only a finer point??? I'd argue that this is the cause of many a forum crash due to keys getting out of step with different PHP scripts updating the same tables. Just a hunch...

    EDIT: Notice that the breadcrumbs on the top of the forum throw errors right now? I'd lay money on that being some sort of PK clash.
    True RI is important but we had RDBMSs for many years before RI was the norm. You just had to do the referentiality checking in code. Lazy BB coding I suspect, rather than MySQL's fault.

    I do, however, agree that it would be nice if MySQL had a coherent RI implemention.

    Leave a comment:

  • Cowboy Bob
    replied
    Originally posted by bogeyman
    (maybe because it skips on some of the finer points, like referential integrity checking)
    Only a finer point??? I'd argue that this is the cause of many a forum crash due to keys getting out of step with different PHP scripts updating the same tables. Just a hunch...

    EDIT: Notice that the breadcrumbs on the top of the forum throw errors right now? I'd lay money on that being some sort of PK clash.
    Last edited by Cowboy Bob; 23 August 2006, 12:57.

    Leave a comment:

  • bogeyman
    replied
    Originally posted by DimPrawn
    Obviously not seeing the number of outages on this site. Not exactly high throughput is it? A few posts a minute.
    Well it depends on the server resources available, doesn't it?

    MySQL is generally regarded as fairly high throughput (maybe because it skips on some of the finer points, like referential integrity checking).

    You can't blame the DB for being on a crap underpowered server.

    Leave a comment:

  • AtW
    replied
    Its most likely shared server

    Leave a comment:

Advertisers

  1. Contracting
    1. General
      1. Brexit
    2. Business / Contracts
      1. Coronavirus Assistance
    3. Accounting / Legal
      1. Umbrella Companies
      2. HMRC Scheme Enquiries
      3. The Future of Contracting
      4. IR35 Reform
    4. Technical
    5. Welcome / FAQs
  2. Social
    1. Light Relief
    2. Social / Events
Working...
X