at work we have a lot of PHP based aplications and all of them runs at PHP 5.2, I'm making my wayt to update them all to PHP 7 but i come to problem as all queries were done via mysql method. I wanted to remade them into prepared statements, but my boss told me to just strip input from special chars and use regular queries.
I want to ask if that aproach is secure enough.
Asked
Active
Viewed 29 times
0
ADyson
- 57,178
- 14
- 51
- 63
MiszczTheMaste
- 21
- 3
-
5No. Prepared statements are the only way to make the queries secure. – aynber Mar 11 '20 at 13:19
-
2No. It comes nowhere close enough. – Jay Blanchard Mar 11 '20 at 13:19
-
4No, it is not. And you should never “strip” input in the first place, that is just outright wrong. Imagine if StackOverflow did that, with “special characters” - we’d barely be able to discuss anything at all, because no one would be able to post example code for anything. – CBroe Mar 11 '20 at 13:20
-
Thanks, its my first year of work so thats why i wanted to make sure. – MiszczTheMaste Mar 11 '20 at 14:03
-
1Just make very sure that when someone does a "Bobby Tables" on your web-site that they ***fire*** your boss and not you. – Mike Robinson Mar 11 '20 at 14:27
-
It's an important first-year lesson about working as a software developer: Bosses nearly always want you to do any task in the shortest way possible, and they'll sacrifice code quality and security in favor of shortening the schedule. Because they have to account for your wages, so if you have a task that takes 2 weeks to do badly but 8 weeks to do properly, they have a strong incentive to choose the former. – Bill Karwin Mar 11 '20 at 15:18