-
February 19th, 2006, 03:49 AM
#1
SQL's advantages over text files
I was just wondering how an SQL database provides advantages over a text file when being handled by PHP, when the text file is laid out similar to a CSV. For example, I could have a table like the following:
This would be fine as a table in a database, but couldn't this just be in a text file using the | as separators? This wouldn't automatically rule out security issues like SQL injection and the like, while still providing a medium from which data can be read (and fairly easily).
Admittedly, looking through a text file with data like the stuff above would be hell, whereas a database would be much more pleasant and easy to read - but, there is one method of attack less to try to defend.
PHP can write to databases, but writing to a text file on certain lines and cells would be impossible, so in a writing case SQL takes first place. But if it's only reading data to sort into a nice viewable format, surely a plain text file with a set separator would do nicely?
Just wanted to hear your opinions on this.
Cheers,
-jk
-
February 19th, 2006, 05:50 AM
#2
You can't query a text file quickly. Read about indexing:
http://en.wikipedia.org/wiki/Database#Indexing
Security isn't about cutting functionality, is about securing required functionality. I would accept the risk of attacks like SQL injection for the benefits of a DBMS.
Is having a webserver on an ecommerce website a risk? If so, would you restrict access to port 80?
-
February 19th, 2006, 12:35 PM
#3
Originally posted here by Soda_Popinsky
You can't query a text file quickly. Read about indexing:
http://en.wikipedia.org/wiki/Database#Indexing
Security isn't about cutting functionality, is about securing required functionality. I would accept the risk of attacks like SQL injection for the benefits of a DBMS.
Is having a webserver on an ecommerce website a risk? If so, would you restrict access to port 80?
Point taken and accepted. Up to now I've never really had any experience with databases (and I'm still learning PHP), so I wanted to minimise risks. But, security by losing functionality isn't the way to go (as you said) - and a text file being used as a database would be a nightmare
Do you know any good SQL injection articles I could read, and in particular how to secure against them? I already found some info in SANS' reading room and in the PHLAK documentation, but I want to get more informed before I start using SQL. Google also provided some nice articles, but recommendations are welcome
Thanks,
-jk
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|