All geek questions in one place

Questions about migrating from mysql to PDO

Hi guys, I recently decided to switch all my current simple mysql queries made using php mysql_query to PDO style queries to improve performance, mobility and security. I just have some quick questions for any experts in this database interaction tool.

  • Will this prevent an injection if all applications are prepared? (I noticed that on php.net he wrote "however, if other parts of the query are created with unescaped input, SQL injection is still possible" I was not exactly sure what that meant). Does this mean that if all the variables are launched through the preparation function, is it safe, and if some of them are directly inserted, is that not so?

  • Currently, I have a connection at the top of my page and requests being executed during the rest of the page. I examined PDO in more detail and noticed that there is a try and catch procedure for each request related to connecting and closing this connection. Is there an easy way to connect and then reuse this connection without having to put everything in an attempt or constantly repeat the procedure by connecting, requesting and closing?

  • Can someone briefly explain in unprofessional terms what set_exception_handler is for?

I appreciate any advice from more experienced people.

+3
source share
1 answer

  • SQL. , .

    $sql = "SELECT * FROM MyTable WHERE id = " . $_GET["id"];
$stmt = $pdo->prepare($sql);

    ? SQL-. . , , .

    SQL-, , execute() , . placeholder SQL - . . SQL Injection Myths and Fallacies SQL-.

  • PDO try. . , try. - , .

  • set_exception_handler() catch. , , , script, . , PHP try , , catch.

    set_exception_handler(). script , , . , . , , - . , PHP .

:

mysql_real_escape_string() , . SQL-.

, , ( ). , escaping/quoting, SQL-. , .

, ( ):

$domainObject = new MyDomain();

try {
  $domainObject->create_report($formInput);
} catch (PDOException $e) {
  // Report error politely so the user knows what happened
  // and what they can do to fix it.
}

create_report() , , SQL-, , , . SQL , , , , create_report().

, , , , , .

+3

Source: https://habr.com/ru/post/1745590/

More articles:


All Articles