Subject Re: [firebird-php] Using Firebird with InterBase 6 Databa
Author Myles Wakeham
file_put_contents('SQL2.txt', $SQL, FILE_APPEND);
$DBRecord=ibase_query($SalesDB, $SQL) or Catch_Err('Add Past Order');

>The above is an example of currently working code from a script that
>runs on our dominant InterBase 6 server. We would like to be able to
>run that script directly from our web page.

>Can we do this with the PHP Firebird interface?

I hope I'm not reacting too early with the little information here, but
this screams SQL Injection attack right from the start.

Again, I don't know your design paradigm but there is good reason to
distance your front-end UI from the database. The immediate one is to
allow some sanitization of any data that might be stored in the SQL
database. The MVC (Model/View/Controller) design pattern goes a long
way forward in giving you the tools to do this, with little performance
issues. And stored procedures in Firebird would be a great way to
provide you with some security layer above the tables directly and
pre-compile/optimize the queries so they run super fast.

You are getting some level of abstraction with your REST approach, which
isn't a bad thing IMHO. Just don't throw out the benefits of what this
can give you without replacing the security on your database. You
probably read the same news that I read, and see the regular 'dumping'
of passwords, hash tags, etc. from big services like Yahoo! and LinkedIn
because of SQL Injection attacks. If you are dealing with 'orders' like
you have here, its likely you are also dealing with private customer
data and possibly credit cards or login/passwords.

I hope I'm wrong, but this looks like an accident waiting to happen.


Myles Wakeham
Director of Engineering
Tech Solutions USA LLC