amygdala wrote:
Hi,
Can anyone recommend some extensive PDO documentation? Especially
documentation that describes PDO's security capabilities. For instance what
measurements does the PDO::prepare take to prevent SQL injection, etc.? And
what extra measurements would be appropriate.
PHP's PDO manual isn't very elaborate IMO.
Yeah, the PDO documentation is rather sparse. AFAIK, it will use the
underlying database driver's implementation for escaping strings to
make them safe for queries, and it can't get much better than that,
since those take into account the character specifics of that database.
For database's that don't have prepared statements (ie: mysql < 4.0,
iirc), i believe it emulates them. Not sure what it does exactly, most
likely escapes common characters like ' and "
PDO is very lightweight for a database layer. While it is very fast,
it doesn't have as many features as PEAR::DB or equiv. If you need
more capabilities or options, I suggest another abstraction layer, like
MDB2, adoDB, or any of the other ones.
>
I was also wondering whether it is safe to asume that a fair amount of
(shared) hosting providers will have PDO (and thus PHP5?) installed. Any
experiences?
Thanks!
A.
I'm not sure on how widespread PHP5 is. A few hosters I know of have
it, many don't. The same goes for PDO, since it must be manually
specified in configure and added to the ini file.
