Sending Select queries to MySQL

pk11 · 2018-08-26 08:52:14 UTC

I am new to PHP, but have been able to write a few short insecure files to insert, delete and update data.
My problem is: How do I send long queries to MySQL without putting in the URL.
I presume sending a SQL query in the URL is asking for trouble, but I have 150 very long SQL queries which I need to abstract lists from MySQL.
I have heard of PDO’s and stored procedures but do not know how it works and what is best.
All my queries have parameters which I can send in the script via Winsock in VB6 to the PHP file.
Secondly I need some code to make my PHP files secure. Any thoughts on a authoritive source?
Some directing will be appreciated.
Thanks

m_hutley · 2018-08-26 12:59:50 UTC

Well I’m not going to weigh in on the whole… stored procedures thing, but you certainly shouldnt be passing SQL queries via the URL (via GET, as it will inevitably be referred to)

It’s incredibly insecure (and potentially highly damaging) to allow user-input queries. Is there a specific use-case you’re considering to allow it?
If not, don’t let the query be specified anywhere but in your code - either in hardcode form or by inclusion/reading of an external document.

pk11 · 2018-08-26 15:07:18 UTC

I have the SQL’s hard coded in my VB6 program, so I will need to move it to the server in a php file or whatever. I have 150 very long SQL queries and my php file may get as involved as my VB6 program.
I am trying to connect directly to the remote MySQL database with ADO, but until now without success.
Thanks.