MySQL Prepared Statements Fetch Problem

AbiusX · 2009-06-18T13:15:07+00:00

Hi I've created a DBAL module for a framework, And added Prepared Statements support to it. Here's the whole class code: <?php /* * Database Access Laye...

MySQL Prepared Statements Fetch Problem

AbiusX

this is not what i intended to do, But I used a foreach to copy every member of the array. This was there would be no possiblity for references to be copied.

Bjom

Which is pretty much exactly the solution in the PHP manual that I was pointing to a couple of posts earlier.

Read the user note posted by denath2 at yahoo dot com
19-May-2008 07:27

linkage

so this is THIS kind of forum. We help.

Bjom

AbiusX

But I checked it then, Ignored that post! Since I had red that PHP Manual over and over and that post wasn't there when I coded this 😃 And now it's there 🙂) Its not really my problem. Its a short paragraph you'd better had it copied urself

Bjom

that post wasn't there

while you are at it: read through those OWASP documents you referenced and the site again (nice reads btw). You'll find a lot of things that seemingly "weren't there" when you read them the first time. Like how escaping can be a useful part of a security design. Jeff Williams must have got it all wrong? OWASP SQL Injection Prevention Cheat Sheet

Bjom

AbiusX

You have to understand what you read 😃 "Escaping can be a useful part of a SECURITY DESIGN" not an application design. Of course escaping is pretty good for security experts, and people who try to penetrate and secure a piece of software. Those are called security experts, Not developers. 🙂

regards

Shrike

AbiusX;10919174 wrote:
I'm wondering how you make websites with only two lines of code 🙂 Surely your webs won't be cracked by anyone!

I'd rather people responding to my main question instead of toying 🙂 What kinda forum is this?

I'm sorry if you didn't like my reply but I'd rather people did not spread misinformation about coding techniques on these forums.

Bjom

Escaping can be a useful part of a SECURITY DESIGN

That's something I wrote, not something I read. It's not a quote. You need to read more thoroughly as I have already pointed out.

Well: so far you have come up with half-baked, somewhat modified solution from the PHP Cookbook 2 and a hack that can be found in the php manual and a lot of bragging.

Show us your expertise - for example point out the security vulnerability in Shrike's example. I'm curious.

Bjom

AbiusX

I already told you there's no weakness in a single line of code, as there are no bugs in one either.

Read the Cheat Sheet to know how to bypass " ' and ; escaping, Which is what real_escape_string does.

There's a big text manual namely "OWASP testing guide" available as PDF through OWASP wiki. I suggest you read that first, Since Security is not like an algorithm that you implement. It's something that should be taken care of amongst the whole SDLC.

Let me explain a bare scenario here:
You've taught a few developers how to use escape_string and prevent injections. They have a bad habit of concatenating string, So they concat them and escape, And it won't work. Then they escape them and concat, And it works.
But this is a very common SQL statement: SELECT * FROM footable WHERE ID=5
And tada! You can inject everything here.

Ok now you see this and tell you developers to insert everything as strings, Even "'".date("Y-m-d H:i:s")."'", And so they do. After a few works, They get bored and do something like this:
SELECT * FROM foo WHERE ID=$pagenumber

and they get pagenumber form a cookie or something. A developer would never think that a cookie would contain injections, I've seen million of cases where developers simply check for validity of an input field with max length of 4 which is supposed to have numbers on client side, and assume it's safe afterward.

The point is, Developers are not security experts, And they are not intended to be. A developer is paid a certain fee, And an app security expert is paid much more. If we had had all our developers enough training to be the same as security experts, Then we never needed any framework or wrapping for security.

And one last point, Just to let you know, Many major development platforms e.g. Google Gears have cut out the use of SQL Queries and only allow you to use Prepared Statements.

regards

Shrike

If developers are not meant to be security minded, why on earth do websites such as the OWASP exist? I work professionally as a developer for a credit card processing firm, so you could say security is a rather important concern.

Besides this, security does not begin and end with SQL. It's just the tip of a rather large iceberg.

AbiusX

What you said, is neither true nor in any relation with what I just said. I think you just aimed to say where you work 😃 I work on IRIRW and Culture Ministry and many more enterprises. And of course security isn't dedicated to SQL😃 who on earth doesn't know that!

Shrike

AbiusX;10919187 wrote:
The point is, Developers are not security experts, And they are not intended to be. A developer is paid a certain fee, And an app security expert is paid much more. If we had had all our developers enough training to be the same as security experts, Then we never needed any framework or wrapping for security

I said what I do for a living to try and illustrate the fact that not all developers are like you.

AbiusX

Btw you oughta know that I'm not a developer. I've got a team of developers under my direct guidance and teach web development, application security and cryptography at SBU University.

Also more than a hundred developers at IRIRW work together with me to get secure apps as result.
enough of this talk already

laserlight

Okay, from what I understand, your concern is that this is slow:

while ($this->Statement->fetch())
    $output[]=unserialize(serialize($out));

As a quick fix, have you tried say:

while ($this->Statement->fetch())
    $output[] = array_slice($out, 0, count($out), true);

AbiusX

I want to know a faster solution than foreach on the array and copy 🙁 is there one?

Bjom

From your last reply to me I almost thought you'd tone down the bragging a bit and I could agree with you. Too sad it went off to another direction :p.

Have you or your team of developers tried to implement this using PDO or ADODB? Could be worth trying and running some benchmarks between the different solutions.

Bjom

AbiusX

Yep actually we did. ADODB is not quite well, Its support is limited. PDO is much slower than MySQLi. I'd rather an interface to make for every RDBMS.

btw MySQLi is incredibly fast! I've seen metabase, But jFramework which i'm developing this for, Is a matter of simplicity and scalability. All those abstractions ruin simplicity 🙁 Thats bad.

jFramework takes 2 mins to deploy!

laserlight

AbiusX wrote:
I want to know a faster solution than foreach on the array and copy is there one?

Well, array_slice() will not cut it: apparently the references remain. I am afraid that I cannot think of anything faster than a manual deep copy, at least for now.

Shrike

while ($this->Statement->fetch())
  $output[]=array_map( 'sprintf', $out );

Maybe that would work.

laserlight

Shrike wrote:
Maybe that would work.

It works, but it is slower than a manual deep copy.

Shrike

I had a feeling it would be, still I got the impression the original poster wanted a 1-line solution. It seems to me that the whole issue is related to a hack to work around a limitation in mysqli anyway 😉