Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Lee Davis' Blog:
In ORM’s Defense
Apr 16, 2012 @ 16:58:29

Lee Davis has a recent post that tries to combat some of the most common excuses people give for not using an ORM rather than opting to write the queries themselves. He writes in defense of the ORM and gives reasons why some of these common complaints may not matter that much.

For some reason, as of late, I can’t seem to attend any user group or conference without a speaker slating ORM’s. Several speakers at the PHP UK Conference this year expressed their disapproval, as well as the speaker at this months PHP London talk. However, no one is giving me a strong enough argument to not use an ORM. Remarks such as “That’s a whole other talk” or “Don’t get me started on ORM’s” seem to be thrown about. But whenever I get a chance to talk about any concerns or issues they’re having the conversation just seems to deflate. Am I missing something really terrible about ORM’s that’s going to creep up and bite me?

He goes through and lists some of the most common and explains how, once you get past some of the initial impressions, they might not be so bad:

  • Using ORMs means having a one to one relation between object and table
  • ORMs produce sub-optimal SQL and far too many queries
  • Using ORMs means using active record
  • ORM is slower than just using SQL, Unlike other abstraction layers, which make up for their performance hit with faster development, ORM layers add almost nothing.
  • But just pulling out arrays are quicker
  • Incorrect abstraction - if you don't need relational data features you're using the wrong data store
tagged: orm defend opinion excuses database

Link:

Stefan Mischook's Blog:
Defending against SQL Injection attacks
Dec 03, 2009 @ 17:35:36

In this new post to his KillerPHP.com blog Stefan Mischook looks at a few of the basic steps you can take to help prevent SQL injection attacks in your application.

You should protect your relational databases (like MySQL) from the dreaded SQL injection attack. These attacks are conducted by evil sniveling nerds, trying to insert damaging SQL code into your HTML form fields (and query strings too) to do things like drop database tables or even wipe out your database altogether!

There's three things he recommends as good places to start - mysql_real_escape_string, using an ORM layer with its own escaping and using something like PDO that cleans up the input for you.

tagged: defend sql injection attack

Link:


Trending Topics: