Chapter 3. Databases and SQL
PHP’s role is often that of a conduit between various data sources and the user. In fact, some people describe PHP more as a platform than just a programming language. To this end, PHP is frequently used to interact with a database.
PHP is well suited for this role, particularly due to the extensive list of databases with which it can communicate. The following list is a small sample of the databases that PHP supports:
DB2 |
ODBC |
SQLite |
InterBase |
Oracle |
Sybase |
MySQL |
PostgreSQL |
DBM |
As with any remote data store, databases carry their own risks. Although database security is not a topic that this book covers, the security of the database is something to keep in mind, particularly concerning whether to consider data obtained from the database as input .
As discussed in Chapter 1, all input must be filtered, and all output must be escaped. When dealing with a database, this means that all data coming from the database must be filtered, and all data going to the database must be escaped.
Tip
A common mistake is to forget that a SELECT
query is data that is being sent to the database. Although the purpose of the query is to retrieve data, the query itself is output.
Many PHP developers fail to filter data coming from the database because only filtered data is stored therein. While the security risk inherent in this approach is slight, it is still not a best practice and not an approach that I recommend. This approach places trust in the security of the database, and it also ...
Get Essential PHP Security now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.