Yes, PHP often gets a lot of flak for this, as its status as an introductory languages makes for a greater number of subpar coders and introductory tutorials, but SQL injection is by no means a “PHP thing.” Actually, there are probably more resources warning about SQL injection for PHP than other languages…

Wouldn’t it be useful if there was one resource you could point people to in order to explain SQL injection and show some examples of best practices in their language of choice?

Bobby-Tables.com has examples of safe methods to handle database interaction in several languages, including PHP, Python, C#, Ruby and Java. Plus, it gets bonus points for referencing the relevant XKCD comic. (There really is one for every occasion, isn’t there?)

Unfortunately, phpMyAdmin often has trouble processing large files. Sometimes it takes so long for the process to run that it times out, or other times the upload quota is simply too low.

Fortunately, there’s a simple solution: split your SQL file into smaller chunks. Here’s a command you can use under Mac OS X or Linux to do it automatically:

split -l 5000 ./path/to/mysqldump.sql ./mysqldump/dbpart-

The split command takes a file and breaks it into multiple files. The -l 5000 part tells it to split the file every five thousand lines. (You can tweak this value to find a good medium between fewer files and larger sizes.) The next bit is the path to your file, and the next part is the path you want to save the output to. Files will be saved as whatever filename you specify (e.g. “dbpart-“) with an alphabetical letter combination appended.

Now you should be able to import your files one at a time through phpMyAdmin without issue.

I’m going to recommend PDO over MySQLi simply because it’s available on more systems, and it’s syntax may be a little bit easier to learn for newbies. PDO has been bundled with the main PHP distribution since PHP 5.1, and has been in PECL even longer, while MySQLi has only been included since 5.3. Whichever you use is up to personal preference and project requirements of course, but I will be sticking with PDO for the duration of this tutorial.

Suppose you have a simple bit of PHP that executes a MySQL query and ouputs a list of items to screen. It might look something like this:

    $db = mysql_connect("localhost", "username", "password");
    mysql_select_db("database", $db);

    $string = mysql_real_escape_string($string, $db);
    $query = "SELECT * FROM my_table WHERE item_cat='".$string."' ORDER BY item_date DESC LIMIT 5";
    $result = mysql_query($query);

    if ( mysql_num_rows($result) > 0 ) {
        while ( $row = mysql_fetch_assoc($result) ) {
            echo $row['item_title'] . '<br />';
        }
    }

You’re escaping any input from a third party with mysql_real_escape_string() to prevent injection attacks, I hope. SQL injection is one of the most common ways data is stolen or destroyed by attackers, and it’s also fairly easy to discourage. Escaping input, while not necessarily 100% effective, should prevent most injection attacks. (And it’s pretty much your only choice with the old MySQL extension.) A better solution is parameterized statements, which we’ll get to later.

If your server has PDO installed (which is probably the case if you have PHP 5.1 or greater), migrating is fairly easy. The basic principles are the same, though the syntax differs just a bit. It’s actually a bit cleaner and more object-oriented.

The example above would look something like this:

$db = new pdo("mysql:host=localhost;dbname=database_name", "username", "password");
$string = $db->quote($string);
$query = "SELECT * FROM my_table WHERE item_cat=$string ORDER BY item_date DESC LIMIT 5";
$result = $db->query($query);

if ($result != false) {
    while ( $row = $result->fetch(PDO::FETCH_ASSOC) ) {
        echo $row['item_title'] . '<br />';
    }
}

$result  = null;

Doesn’t that look nicer? Feel free to take a moment to appreciate the object-oriented goodness.

The biggest difference is probably the connection line. The “DSN” syntax used to connect to the database might look a bit strange at first, but it’s an important part of PDO. Since PDO can connect to other types of databases besides MySQL (e.g. PostgreSQL and SQLite), it uses a fairly standard connection string that specifies the server type besides the database name.

Escaping strings works essentially the same, but the syntax is slightly different. You need to remember to not put quotes around the variable in your SQL string, as the PDO::quote() method will do it for you. If you compare the SQL statements in the two examples, you’ll see the lack of quotations in the PDO example.

One gotcha to be aware of with PDO is that you need to set your $result variable to null if you intend to reuse it later on in the same script. You can end up with some weird results if you don’t. So just get in the habit of setting it to null or using unset() on it.

Now how about those parameterized statement things? They’re a way of ensuring that your code will be immune to SQL injection. Instead of mashing PHP strings together and passing the resulting query to the database engine, you keep the query and the potentially dangerous data separate. Placeholders are put in the query, and the data assigned to those placeholders is sent along with it.

$db = new pdo("mysql:host=localhost;dbname=database_name", "username", "password");

$sql = "SELECT * FROM my_table WHERE item_cat= :mystring ORDER BY item_date DESC LIMIT 5";
$statement = $db->prepare($sql);

$statement->execute(array(
    ':mystring' => $my_string
));

$result = $statement->fetchAll();

if ($result != false) {
    while ( $row = $result->fetch(PDO::FETCH_ASSOC) ) {
        echo $row['item_title'] . '<br />';
    }
}

$result  = null;

Parameterized queries may have some performance issues on MySQL versions prior to 5.1, but they shouldn’t have any significant disadvantages on more modern systems. Security-wise, they’re considered to be better than simply escaping strings.

I hope this little guide has been sufficient to get you started with PDO. You will probably want to check out the documentation to see what else it can do. While you don’t necessarily need to go out and update your old code right away—the PHP devs aren’t going to drop support for the old ext/mysql extension for quite a long time, if they ever get rid of it completely—but you should definitely familiarize yourself with the newer techniques and use them in new projects.

S3, or Simple Storage Service, is Amazon’s cheap cloud data storage system. Michael Martin, the author of the tutorial, says that his bill from last month was $2.60. ($0.15 per month per GB for stored, $0.15 per GB transferred.) Using a backup script on your server, you can automatically archive and encrypt your files and MySQL dumps, then send them off to Amazon’s servers for safekeeping.

I should start by saying that while s3 is not a free service, it’s incredibly inexpensive! My bill for the last month was $2.60, and that was with backing up a lot more than just this site! It’s the cheapest peace-of-mind ever.

Automatic Amazon S3 Backups on Ubuntu/Debian [Pro Blog Design]

Web apps and web services multiply like rabbits. They’re all fun to play with (like rabbits) and fun to integrate into other projects (unlike rabbits). But learning a new API every other day isn’t feasible or fun. And that’s the problem the Yahoo Query Language (YQL) is out to solve.

Think of YQL as the API for the web, the one API to rule them all. It’s not a hard one to learn, so let’s get you up to speed right now!

I couldn’t have said it better myself. YQL is just that: a wrapper for other APIs. It makes it easy to gather data from virtually any API, mash data up if necessary, and bring it into your own application. With generous daily query limits, and no commercial usage restrictions, what’s not to like?

A basic query to collect tweets from two twitter accounts would look like this:

SELECT * FROM twitter.status.timeline.user WHERE id in ('redwall_hp','fantasyfolder')

Very much like an SQL query, no? And there are “tables” to obtain data from many sources, such as Delicious, Netflix, Facebook, Flickr, Github, Last.fm, RSS feeds, etc.. Is there not a table for an API you need to use? You can create one.

Result sets can be returned as XML or JSON.

Developer tools like this and the BOSS search API, which is one of the available tables in YQL, are what I believe will keep Yahoo alive in the coming years.

Of course, when it comes to the security of your WordPress site, these techniques are merely the beginning. As you continue in your WordPress travels, you will discover many, many more ways to increase the security of your site. By implementing the methods presented in this article during the setup process, you will be strengthening the security of your site’s foundation, providing yourself a solid platform on which to build.

Definitely worth a read if you haven’t already looked into the techniques.

How to Secure Your New WordPress Installation [Digging into WordPress]

You may not be aware of it, but there is an alternative to the “mysql_*” function set. The mysqli functions, for “MySQL Improved” are used in much the same way as their predecessor, but they have some advantages. One such advantage is “Prepared Statements,” a method of preparing a query that separates the data from the syntax.

Prepared Statements are a little harder to use, but they are more secure, and arguably easier to write and maintain.

Prepared Statements in PHP and MySQLi

Instead of grabbing and building the query string using things like $_GET[‘username’], we have ?’s instead. These ?’s separate the SQL logic from the data. The ?’s are place holders until the next line where we bind our parameters to be the username and password. The rest of the code is pretty much just calling methods which you can read about by following some of the links at the end of the article.

Suppose you have a input form that asks for an email address for a newsletter subscription. The data is passed to the script, which inserts the data with the following:

$input = $_POST['email'];
mysql_query("INSERT INTO emails (email) VALUES('$input')");

Looks fine at a glance, doesn’t it? Well, it would if you’re new to the horrors of SQL injection. Note that the form field’s data is passed right along without any validation. That is not good. Some contempt-worthy person could come along and type something like this into the form:

blah@example.org'); DROP TABLE emails;

This would insert a dummy email, then delete the whole database table. Oops.

How can you protect yourself from SQL Injection? The first step is to validate your data. You’re expecting an email address to be submitted, right? So why don’t you make sure the submitted data looks like an email address? You could use regular expressions (or something) to make sure the string is a substring followed by a “@” followed by another substring, and make sure there aren’t any characters that wouldn’t be valid in an email address.

The next step is to use the mysql_real_escape_string() function to remove any escape characters from the string, to make sure there are no unpleasant surprises in the input string. The PHP function reference recommends that you do this any time you query the database with information from a user.

SQL Injection is definitey something you need to be aware of. Do some Google-ing and read up on it. The worst that could happen is having no one try to hack the script you spent time securing.

The tips include

• Backing up (and restoring) your database
• Batch deleting post revisions
• Resetting a lost admin password
• Updating your database with a new domain, if you ever move to a new one

Definitely some knowledge to have your blogger’s toolbox.

If you really want to master SQL, I’d recommend reading Learning MySQL or similar book.

As common as they may be, databases sure are mysterious critters. It look me awhile to grasp the concept of them at first, and even longer for me to pick-up the skills required to make use of them. In addition to knowing a scripting language like PHP or Perl, and how to submit a query to the DB server, you also need to know the SQL language.

I just finished a great book on MySQL. Learning MySQL by Seyed M.M. Tahaghoghi and Hugh Williams is a comprehensive and well-explained book that teaches you from the ground up about MySQL databases and how to work with them. It introduces the concept of a database, walks you through installing the MySQL server software (if you’re not already running it), explains querying, then moves on to the real meat of the book: Structured Query Language, or SQL. It covers basic SELECTS and INSERTs, JOINS, nested queries, table and column types, and really everything you need to know to get started.

Following chapters cover topics like using PHP or Perl to interact with databases (as opposed to using a MySQL prompt) and securing web applications. There are also sections on planning database structures optimally, optimizing performance.

The book is written in a manner that should make it easy to follow, it’s full of code examples to try out, and overall is enough to give you a general to intermediate knowledge of MySQL. It also works as a handy reference.