<div dir="ltr">Thanks everyone. It's a small temporary app on a closed network with trusted clients. If you notice I'm not even fully protecting against SQL injection; no octals or whatnot are checked ... it's literally just for a few characters which people may type in (like O'Grady).<div>
<br></div><div>Didn't know the internals of the MySQL protocol - I've just been using emysql and it seems to work fairly well. I've not done much postgres, but while it's always had a good reputation it never seemed to be quite as .... dynamic ... as the MySQL development process. I've been using MySQL, well, forever but I'm open to exploring postgres again after this project</div>
<div> <br></div><div>Which postgres clients (erlang) are considered solid and what's the consensus on their clustering compared to Galera/Percona?</div><div><br></div><div>Thanks!</div><div><br></div><div><br></div></div>
<div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Aug 11, 2014 at 7:05 AM, PAILLEAU Eric <span dir="ltr"><<a href="mailto:eric.pailleau@wanadoo.fr" target="_blank">eric.pailleau@wanadoo.fr</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I agree .<br>
<br>
Note, what I like in Postgresql on contrary of Mysql, is the dollar quoting.<br>
<br>
In addition to usual SQL injection protections on data input,<br>
you can also use dynamic dollar quoting, to make more complexe SQL injection attempts :<br>
<br>
UPDATE users set password=$4896$new password hash$4896$ WHERE id=12345 ;<br>
<br>
4896 is for instance the PID of the forked Apache process, or anything else with more entropy.<br>
<br>
The attacker can't guess this ID and injection is much much more complex...<br>
<br>
<br>
Le 11/08/2014 09:51, Loïc Hoguin a écrit :<div class="HOEnZb"><div class="h5"><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On 08/11/2014 06:02 AM, Mike Oxford wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I need to so some input sanitizing for use against MySQL.<br>
</blockquote>
<br>
Are you saying you are going to take this data and put it inside a query<br>
string? This isn't going to protect anything, escaping doesn't prevent<br>
SQL injection. Why not use a prepared statement instead? This makes the<br>
data separate from the query, you don't need to do any escaping and<br>
MySQL takes care of everything for you. Also make sure you are using the<br>
*binary* protocol, not the *text* one, and you're pretty much set.<br>
<br>
</blockquote>
<br></div></div><div class="HOEnZb"><div class="h5">
______________________________<u></u>_________________<br>
erlang-questions mailing list<br>
<a href="mailto:erlang-questions@erlang.org" target="_blank">erlang-questions@erlang.org</a><br>
<a href="http://erlang.org/mailman/listinfo/erlang-questions" target="_blank">http://erlang.org/mailman/<u></u>listinfo/erlang-questions</a><br>
</div></div></blockquote></div><br></div>