The term Flash can include any of the other terms defined below, and I find that saying "Flash" without specifying exactly what you mean can be confusing and misleading. Case in point: I'm not sure what you specifically mean when you say "Flash" in your question. Is it Flash Player? The authoring tool? Or the whole collection of technologies that fall under what Adobe calls the "Flash Platform"? To help clear all this up, let me define the technologies involved in creating Flash and Flex content so that we're all using the same terminology here:
Flash Player is a runtime for rich media content in the browser. There is also Flash Lite to run Flash content on older or low-end mobile devices, and Adobe AIR extends Flash Player to allow content authors to publish native desktop and mobile applications that can integrate with things like the file system, windowing systems, and device sensors like the accelerometer and camera. Collectively, Adobe refers to these as the Flash runtimes.
Flash Professional (often called the Flash authoring tool or the Flash IDE) has traditionally been the primary application used to create content that runs on Flash Player. It is very designer oriented with timelines, layers, and visual drawing tools. Software developers may find this application disorienting and limited compared to other development tools that focus more on code, like Flash Builder (see below). When someone says, "I built something with Flash", they often mean the Flash authoring tool, but that's not always the case. For that reason, it's good to always clarify to avoid any confusion.
ActionScript is the primary programming language supported by Adobe to target Flash runtimes. The current version is ActionScript 3 (abbreviated as AS3), which has been supported since Flash Player 9. Content created with older versions of ActionScript can still be run in the latest versions Flash Player, but new features are only supported when using ActionScript 3 to create new content.
Flex is a collection of technologies designed to create rich applications that target the Adobe's Flash runtimes. Though saying "Flex" previously had the same ambiguity as "Flash", the Flex brand name is becoming more and more focused on the Flex framework and SDK, described below.
The Flex SDK consists of compilers, a command-line debugger, and the Flex framework. The included compilers are:
1. MXMLC, an ActionScript and MXML compiler to output the final SWF file for deployment to Flash Player.
2. COMPC, a static library compiler for ActionScript that outputs SWC files.
3. ASDOC, a documentation generator built on the compiler technology.
The Flex framework is a collection of ActionScript classes designed to build Rich Internet Applications. It includes things like user interface controls, web services and other connectivity classes, formatters and validators, drag and drop, modal windowing, and component states. These classes are in the mx.* package. Generally, when developers say "Flex" without any clarifying information, they mean the Flex framework and not the product formerly known as Flex Builder.
In 2011, Adobe donated the Flex SDK to the Apache Software Foundation. It is now called Apache Flex and it is fully managed by the community rather than Adobe. However, Adobe employees continue to contribute to the project, and Flash Builder (see below) continues to support new SDKs released by the Apache Flex project.
MXML is an XML-based markup language used by the Flex compilers to make layout and placing components into containers easier. The tree-like structure of XML make the containment hierarchy easier to visualize. MXML is actually converted to ActionScript during the compilation process.
Flash Builder (formerly known as Flex Builder) is a development environment that allows developers to build different project types to create SWF files that are deployed to Flash runtimes. It is built on the Eclipse platform and is more familiar to software engineers. Flash Builder supports projects built with Flex or pure ActionScript. Flex projects include the Flex framework. ActionScript projects are the most basic you can work with, starting with a single class and an empty canvas, and the Flex framework is not included.
Flash Builder does not replace Flash Professional. Some people who have traditionally used Flash Professional may now choose to use Flash Builder instead. Often, these are software engineers who appreciate or require the advanced development tools offered by Flash Builder or don't work heavily with assets designed in a visual tool. Some developers may write their code in Flash Builder, while choosing to compile their projects in the Flash authoring tool. Often, these developers are also designers, or they are working with other people who are designers. In this situation, there may be many graphical assets created in the Flash authoring tool, and it could be difficult or simply inappropriate to bring them into another environment.
The Flex framework is specifically designed to build applications. It includes many traditional form controls (buttons, lists, datagrids, etc) and much of the code runs on an advanced component framework written in ActionScript. Not everyone is building the sort of content that Flex is designed to create, and Flex does not replace traditional Flash development practices for everyone. It is a better approach for some developers, but may not be right for others. More design-heavy websites, such as those created for movies, music, energy drinks, advertising campaigns, and things like that probably shouldn't use the Flex framework. These types of content might be better suited to Flash Professional or a pure ActionScript project in Flash Builder. Similarly, little widgets you put into the sidebar of your website or on your profile in a social networking website may need to be built with pure ActionScript (without the Flex framework) because they require a smaller file size and they probably don't need a big complex component architecture designed for larger applications. When targeting Flash runtimes, your development environment, frameworks, and workflow should be chosen based on your project's requirements and goals.
The correct way to avoid SQL injection attacks, no matter which database you use, is to separate the data from SQL, so that data stays data and will never be interpreted as commands by the SQL parser. It is possible to create SQL statement with correctly formatted data parts, but if you don't fully understand the details, you should always use prepared statements and parameterized queries. These are SQL statements that are sent to and parsed by the database server separately from any parameters. This way it is impossible for an attacker to inject malicious SQL.
You basically have two options to achieve this:
Using PDO (for any supported database driver):
$stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');
$stmt->execute([ 'name' => $name ]);
foreach ($stmt as $row) {
// Do something with $row
}
Using MySQLi (for MySQL):
$stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name = ?');
$stmt->bind_param('s', $name); // 's' specifies the variable type => 'string'
$stmt->execute();
$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
// Do something with $row
}
If you're connecting to a database other than MySQL, there is a driver-specific second option that you can refer to (for example, pg_prepare() and pg_execute() for PostgreSQL). PDO is the universal option.
Correctly setting up the connection
Note that when using PDO to access a MySQL database real prepared statements are not used by default. To fix this you have to disable the emulation of prepared statements. An example of creating a connection using PDO is:
$dbConnection = new PDO('mysql:dbname=dbtest;host=127.0.0.1;charset=utf8', 'user', 'password');
$dbConnection->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$dbConnection->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
In the above example the error mode isn't strictly necessary, but it is advised to add it. This way the script will not stop with a Fatal Error when something goes wrong. And it gives the developer the chance to catch any error(s) which are thrown as PDOExceptions.
What is mandatory, however, is the first setAttribute() line, which tells PDO to disable emulated prepared statements and use real prepared statements. This makes sure the statement and the values aren't parsed by PHP before sending it to the MySQL server (giving a possible attacker no chance to inject malicious SQL).
Although you can set the charset in the options of the constructor, it's important to note that 'older' versions of PHP (before 5.3.6) silently ignored the charset parameter in the DSN.
Explanation
The SQL statement you pass to prepare is parsed and compiled by the database server. By specifying parameters (either a ? or a named parameter like :name in the example above) you tell the database engine where you want to filter on. Then when you call execute, the prepared statement is combined with the parameter values you specify.
The important thing here is that the parameter values are combined with the compiled statement, not an SQL string. SQL injection works by tricking the script into including malicious strings when it creates SQL to send to the database. So by sending the actual SQL separately from the parameters, you limit the risk of ending up with something you didn't intend.
Any parameters you send when using a prepared statement will just be treated as strings (although the database engine may do some optimization so parameters may end up as numbers too, of course). In the example above, if the $name variable contains 'Sarah'; DELETE FROM employees the result would simply be a search for the string "'Sarah'; DELETE FROM employees", and you will not end up with an empty table.
Another benefit of using prepared statements is that if you execute the same statement many times in the same session it will only be parsed and compiled once, giving you some speed gains.
Oh, and since you asked about how to do it for an insert, here's an example (using PDO):
$preparedStatement = $db->prepare('INSERT INTO table (column) VALUES (:column)');
$preparedStatement->execute([ 'column' => $unsafeValue ]);
Can prepared statements be used for dynamic queries?
While you can still use prepared statements for the query parameters, the structure of the dynamic query itself cannot be parametrized and certain query features cannot be parametrized.
For these specific scenarios, the best thing to do is use a whitelist filter that restricts the possible values.
// Value whitelist
// $dir can only be 'DESC', otherwise it will be 'ASC'
if (empty($dir) || $dir !== 'DESC') {
$dir = 'ASC';
}
Best Answer
Flex Builder and Flash Builder both function as Plug-ins to Eclipse, though each also comes in a "stand-alone" flavor - which is still eclipse, but with a lot of the Eclipse functionality torn out for a smaller footprint.
What you want to do is pretty simple - get eclipse set up, install PDT or whatever your favorite PHP plug-in is and then install Flash/Flex Builder into that same instance of Eclipse. Make sure when you download FB you choose to download the "Plug-in" version instead of the stand-alone version. When you go to install it, it'll ask you where you want to install it - pick a location, and hit next. It will then ask you if you want to plug-in to an existing instance of Eclipse or use the bundled Eclipse (at least Flash Builder comes with a Bundled eclipse). Opt to select an eclipse version and point it toward the Eclipse install that has your PHP coder plugged into it.
If all goes well, once it' done you can open Eclipse and then switch views between Flash Builder and PDT all within one instance of Eclipse. I do this with Aptana, it's very handy to be able to do your HTML, PHP and AS3 all in one editor.
Good luck!
Also [edit]:
Adobe promotes Zend because of a Zend plug-in called ZendAMF. ZendAMF is the spiritual successor to AMFPHP - basically, with a little bit of setup you can create a dev environment where you are able to call PHP functions right from your AS3 code. You can set up a ZendAMF Class, for instance, called getUsers() which then queries your DB and pulls out a list of Users. You can use that to populate PHP ValueObjects, and then it will pass those VO's back to Flex in binary (much, much faster than XML) and if you have it set up correctly they will be data-typed as AS3 Value Objects of the same type.
This is very useful because it's all very transparent - you can then write an AS3 function called getUsers() which returns an Array of value objects, set it up to quietly call your PHP which calls the database, and have it return a value as though it were just all AS3 from start to finish. A bit tricky to set up, but once you're rolling there's really no going back! :)