Reputation: 693
what is the best way to call data from MySQL with speed and security in mind?
can some one provided some suggestions of constructing MySQL querys that are both fast as well as secure.
Currently I am using typical MySQL calling method
$q = ("...");
$r = mysql_query($q);
but I was looking into OOP database programming so I am wondering which method would be the best to use and implemend on multiple pages with security and speed in mind.
Upvotes: 1
Views: 117
Answers (4)
Reputation: 5705
It is hard to combine most important features in one think in general, PDO provide data-access abstraction layer, so you write once and use your script with different database server's, however, PDO not mush faster then MySQLi as the benchmark here show, but its provide many other features, query cache, prepared statement, and support most known databases server.
If you really looking for OOP database abstraction layer then use PDO, easy to use, fast to learn.
Upvotes: 0
Reputation: 3972
For security purposes, always use database parameters instead of putting what the user provides directly in the query. You can do this by either using the mysqli_ family of functions or the PDO object.
For speed, you should just try to optimize your queries as much as possible as well as try to do as few queries as needed because each hit to the database will slow down your application.
Upvotes: 2
Reputation: 10467
The best way without much effort would be to use PHP PDO [PHP Data Object] extension. Here is the manual for it:
http://php.net/manual/en/book.pdo.php
Example:
<?php
/* Execute a prepared statement by binding PHP variables */
$calories = 150;
$colour = 'red';
$sth = $dbh->prepare('SELECT name, colour, calories
FROM fruit
WHERE calories < :calories AND colour = :colour');
$sth->bindParam(':calories', $calories, PDO::PARAM_INT);
$sth->bindParam(':colour', $colour, PDO::PARAM_STR, 12);
$sth->execute();
?>
You should learn the idea of "prepared statements" - it really improves security compared to mysql_query() way.
Upvotes: 5
Reputation: 9428
The mysqlnd library included in PHP >= 5.3 is faster than the original mysql and mysqli libraries.
Security is a much bigger ball of wax, but the general principle to keep in mind is not to ever trust or assume that user-generated data is safe. Use the string escape functions on strings; make sure things you expect to be ints or floats are typecasted as such.
Upvotes: 1
Related Questions
- Best Way to Secure SQL Query in PHP
- The most efficient way to access a mysql database extracting multiple data for website
- how to pass and process data (php) to database (mysql) for best performance?
- Optimal way to serve data from mysql
- efficient and secure queries idea - mysql
- Safe way to fetch data with mysql/php
- How can I use PHP to make secure calls to MySQL Databases?
- Secure way to insert and retrieve data to and from MySQL
- The best efficient method to connect MySQL from PHP?
- Securing fetched data with PHP