Moving from mysql real escape to PDO to make it more robust?
let's see a real example; the next code is what ive bene using so far and in ver ha da problem, but recently, due to Sony news etc, i feel i need ot learn more of this topic "security."
so this is my code, these functions below are methods of a class but for time reason i can't show you everything
Connection to my DB
function SQLinit($debug = 0)
$svr_msconnect = @mysql_connect($sql["db_host"], $sql["db_login"], $sql["db_pass"]);
if (!$svr_msconnect)
echo mysql_error();
function to call queries
function DoQuery($sql, $assoc=0)
if (!$svr_msconnect) SQLinit();
$result = mysql_query($sql, $svr_msconnect);
if (mysql_errno())
//error alert....
if ($result === TRUE) return array();
$res = array();
if ($assoc)
while ($row = mysql_fetch_assoc($result))
array_push($res, $row);
while ($row = mysql_fetch_row($result) )
array_push($res, $row);
return $res;
开发者_如何学JAVA }
and then a real EXAMPLE of simple user authentication:
if(isset($_GET["e"]) && isset($_GET["p"])){
$e = $_GET["e"];
$p = $_GET["p"];
$e = mysql_real_escape_string($e);
$p = mysql_real_escape_string($p);
$p = md5($p);
$sql = "SELECT user_id,user_email,user_pass FROM user_tb where user_email='$e' AND user_pass= '$p' ";
$result = DoQuery($sql,1);
so basically my $result is an array with the value I need (employees names, book titles, whatever...)
my question:
I dont want to discuss here the MD5 or using a salt, but given this is my code already implemented, and is already spread in more than 50 files, there is a way to transform my code to a PDO approach?
I must say I don't know anything about PDO approach, i just saw some examples but they were too theory-y and not enough i have a specific context to solve ...
PDO allows prepared statements, so your code would look something like this:
$pdo = new PDO( ... params ... );
$stmt = $pdo->prepare("SELECT user_id,user_email,user_pass FROM user_tb where user_email = ? AND user_pass = MD5( ? ) ");
// If you have a User class, you can load it
// otherwise you get an array
$stmt->setFetchMode(PDO_FETCH_CLASS, 'User');
$stmt->execute(array($_POST["e"], $_POST["p"]));
$user = $stmt->fetch();
There's a caveat: If there is any chance the query log could be read by someone else (running on a shared server for example) you should hash the password first before sending it to PDO, but anyone who was using ' or another character that was escaped in their password will need to reset, because the hash will then be different.
For more about fetch mode magic, see
First of all, the PHP Data Objects Extension is simply a mechanism used to access and use databases. If you want to learn how to use the PDO library, check out the documentation. You can create a secure database implementation without the use of PHP's PDO extension, though.
Your current implementation isn't too bad, but I would definitely recommend NOT passing user credentials via URI query (ie. use $_POST instead of $_GET for your more sensitive parameters).