afraid of SQL injection attacks
Posted: Thu Nov 13, 2008 10:52 am
New to forum and need some help.
Working on a website (personal) in PHP and MySQL and i'm afraid of SQL injection attacks. My site requires a lot of user interaction and uses a lot of SQL and relational databasing. I don't want to get too far down the road and realize I screwed up somewhere. Here's my questions...
1) Could someone give me an example of a strongly typed query versus and vunerable one?
2) How well do the mysql_real_escape_string() work and mysql_escape_string() the protect against unwanted commands? Could I just use that to sanitize my data?
3) Or should I used PDOs to query? I'm not too familiar with PDOs but from what I've read, there quite a bit of debate whether they speed up or slow down your query time.
4) How exactly do PDOs protect you against a SQL injection attack?
Working on a website (personal) in PHP and MySQL and i'm afraid of SQL injection attacks. My site requires a lot of user interaction and uses a lot of SQL and relational databasing. I don't want to get too far down the road and realize I screwed up somewhere. Here's my questions...
1) Could someone give me an example of a strongly typed query versus and vunerable one?
2) How well do the mysql_real_escape_string() work and mysql_escape_string() the protect against unwanted commands? Could I just use that to sanitize my data?
3) Or should I used PDOs to query? I'm not too familiar with PDOs but from what I've read, there quite a bit of debate whether they speed up or slow down your query time.
4) How exactly do PDOs protect you against a SQL injection attack?