Logo




Subscribe:
RSS 2.0 | Atom 1.0
Categories:

Sign In


[Giagnocavo]Michael::Write()

# Friday, October 15, 2004
MySQL is really secure... or bad.

I chose MySQL to use as my database, since I was writing on Linux, in C, and it just seemed like the easiest path. Can someone please say “you were so wrong”? MySQL has to the worst DB engine out there. It doesn't (ok, just added) even have support for SUBQUERIES! Barely has support for multiple charsets. And... binary(20) is NOT a binary field 20 bytes long. It's a char(20). You can't execute multiple commands in a single query. It's embarrassing to open source really. I don't know who could argue that MySQL is competition for SQL Server or Oracle and keep a straight face. Check this list out: http://sql-info.de/mysql/gotchas.html (I really love the part about date handling.)

On the other hand, it's very secure. www.kalea.com.gt <-- No checking of user input whatsoever. (BTW, my little article about Kalea made me a top search result for Kalea Guatemala -- while their site doesn't even show up.)  They take your querystring, concat it to their query, and off it goes. But guess what? Good luck trying to hack it. MySQL is so poor, doing SQL injection and achieving anything fun is nearly impossible. So much for adding prices to their site :). Oh wait, you can do a DoS by using the BENCHMARK expression and then encode/Sha1/etc.

So what am I going to do? Switch to SQL Server as soon as I get a release candidate done. I'm going to load Mono into my C app, and then transition into managed code and use some nice TDS libraries and have a good day with a database that actually works well. Had I done that to begin with, I'd be a few hours ahead of schedule instead of behind schedule...

Code | Humour | Misc. Technology | Security
Friday, October 15, 2004 4:18:53 AM UTC  #    Comments [2]  |  Trackback Tracked by:
http://maniac.rz.tu-ilmenau.de/schrankmonster/PermaLink,guid,ef3d89af-a405-4c79-... [Pingback]
"http://umuqjqf.com/celeb-lesbians.html" (http://umuqjqf.com/celeb-lesbians.html... [Pingback]


Friday, October 15, 2004 1:46:18 PM UTC
MySql is a joke. Try PostgreSQL. I originally went looking for a spatial alternative to Oracle Spatial and MySql has basic spatial support but it blows. PostgreSQL is what I went with and it is way better than MySql. It's spatial support is way better than Sql Server but it's still not quite as good as Oracle but it's getting there.
http://www.postgresql.org/
Friday, October 15, 2004 6:56:07 PM UTC
I have to agree with Andy. Go with PostgreSQL. I've been using it as a target for apps that I am porting from MS Asp.Net to run on Mono, and Mono has great PostgreSQL support. PostgreSQL supports sub queries, functions (which also work well for most stored procedure type work), and transactions, all of which have made it a great stand in for SQL Server.
OpenID
Please login with either your OpenID above, or your details below.
Name
E-mail
Home page

Comment (HTML not allowed)  

Enter the code shown (prevents robots):

Live Comment Preview