I am using MySQL - 4.1.15 & PHP 4 & reading Visual QuickPro PHP/mySQL.
1. About mysql security - when I set up my PHP forms to write to text files I use the PHP functions to strip about any bad characters. For example, $Location=htmlspecialchars(stripslashes($Location) ); . Is there a mySQL equivalent? Right now I have them formatted like $city=$_POST['city'];
2. This could be related to the last question. Whenever I enter data thru my forms and the data has brackets ("< >")wrapped around it the brackets get stripped out. Why is this?
3. Is it recommended to keep your mySQL username and password in a separate file outide of your web directory?
4. Is there anything wrong with insert 2 different inputs from a form into 1 column with a query like this? $query = "INSERT INTO listingsgames VALUES ('$tourneydate3-$tourneydate-$tourneydate2')?
5. Is there a way to create a query to move a record to another table then delete the record in the originial table? Someone on google recommended this but it doesnt work.
$query="UPDATE listingsgames SET deletestatus = 'yes' WHERE gameid = '$variable2'";
INSERT listingsgamesdeleted (gameid, deletestatus) SELECT gameid, deletestatus FROM listingsgames WHERE deletestatus = 'yes';
T1 = SELECT COUNT(*) from listingsgames WHERE deletestatus = 'yes';
T2 = SELECT COUNT(*) from listingsgamesdeleted WHERE deletestatus = 'yes';
if ( T1 == T2 ) DELETE FROM listingsgames WHERE deletestatus = 'yes';
UPDATE listingsgamesdeleted SET deletestatus = 'no';
After my investigating into the subject, I get the impression that I might have have to use a "transaction" which would require me to change the table type to "innoDB" (which i hear are slower). If this is true would it slow the queries down if I have 25,000 records and am doing 80% SELECT queries and 20% INSERT queries? Are there any other downsides - other than foreign keys - to have an innoDB table type instead of MYISAM?
6. I have a field where I would prefer to give people about 700 characters to enter information. Would having the column type as "text(700)" be much slower than "varchar(255)". I would have about 15,000 records.
7. I have people enter information on my site and I want them to be able to edit it. But, for now, I don't want to set up usernames and passwords. My idea is that if they want to change their listing then I have them enter their email into a form and the form emails them an address like email@example.com&pw=6548921546 9841354456 where the "pw" variable is a random number I generate with each record creation. Are there any security problems with this?