Archive for December, 2009

Merry Xmas from Stefan.

Thursday, December 24th, 2009

Hi,

I just wanted to wish everyone happy holidays and a merry xmas – if applicable.

:)

In other news .. well, we’ve been working hard on stuff and should have a bunch of new videos in January.

Thanks,
Stefan Mischook

Posted in News | No Comments »

What are ORM Frameworks – the video!

Tuesday, December 15th, 2009

Hi,

I decided to create a video based on my recent article on ORM frameworks. I shot this in HD … so select the HD option if you got big pipes.

Let me know what you think.

Stefan Mischook

Posted in Advanced PHP, MySQL, PHP Videos | 3 Comments »

What are ORM Frameworks?

Tuesday, December 8th, 2009

Database Image

In the following article we will learn a few things about ORM frameworks:

  • What they are.
  • What they do.
  • When and why to use them.
  • And finally, what ORM options PHP’ers have.

Let’s start …

If you’re working with PHP, you will certainly find yourself working with relational databases (like MySQL) sooner or later. Anyone who has ever built a reasonably complex web application knows, that the SQL can get really hairy at times – especially when you consider all the data filtering that you have to deal with!

ORM frameworks to the rescue!

ORM is yet another nerd-acronym, it is short for Object Relational Mapping. In a nutshell, an ORM framework is written in an object oriented language (like PHP, Java, C# etc…) and it is designed to virtually wrap around a relational database. If you look at the name (ORM), it basically translates into: mapping objects to relational tables.

There are many different competing ORM frameworks out there, because many nerds have their own ideas as to how to best do things – nothing new here! But you know what, some of these nerds are right … not all ORM frameworks are created equal.

(more…)

Posted in Advanced PHP, MySQL, Object Oriented PHP, PHP Videos | 2 Comments »

Defending against SQL Injection attacks

Wednesday, December 2nd, 2009

First, let me just say that this is not a tutorial, this is an article meant to give you an overview with a few options thrown in.

Ok, let’s start …

You should protect your relational databases (like MySQL) from the dreaded SQL injection attack. These attacks are conducted by evil sniveling nerds, trying to insert damaging SQL code into your HTML form fields (and query strings too) to do things like … drop database tables or even wipe out your database altogether!

… These attacks are very real!

My Recent Experience

We recently put up our new shopping cart system … I personally keep on eye on activity, and to my surprise, we can get 25-30 attempted attacks a day! Man, if I could just get my hands on one of these guys ….

:)

Fortunately, there are a few code-centric steps you can take to protect yourself from these SQL injection attacks:

  • Use this function: mysql_real_escape_string() and wrap your input variables with it.
  • Use an object-relational mapping (orm) system to basically avoid writing SQL to begin with. I hear the best one for PHP’rs today is Doctrine
  • use a prepared statement that basically processes everything and cleans it up for you. PHP has the PDOStatement class for this.

Another option (that I like to use), is to just remove the database from any possible external interaction. Sometimes this is not possible but when it is, it works well. So for instance, our cart does not talk to a relational database at all, so all these SQL injection attacks we get just makes me giggle like a little school girl.

Stefan Mischook
www.killerphp.com

Posted in Advanced PHP | No Comments »

 

Top of page  go to top of page