I've found much better anti-XSS system like "Big umbrella".
1. check doubtful request (eg. "<script") in the top of application
2. if such requests exist, push an output filter by ob_start()
3. else no ob_start() are pushed (=performance safe)
4. check registered doubtful-requests exist in the html for outputting
5. if exist, die().
I'll write the code in (2)
Marijuana suggested me "You should compare with IN and INNER JOIN instead of LEFT JOIN".
As his suggestion sounds quite reasonable, I've done benchmark again.
The result
(LEFT JOIN) << (IN) ~ (INNER JOIN)
Thus I still insist "IN than JOIN".
That's because, dividing queries into permission and main makes coding easy.
MySQL is one of the fastest Database Engine with simple queries, though it is not so fast on with complex queries.
Thus, we should divide queries simple as possible.
eg) permission system between categories and groups:
CREATE TABLE cat (
`cid` int NOT NULL default 0,
`name` varchar(255) NOT NULL default '',
PRIMARY KEY (cid)
) TYPE=MyISAM ;
CREATE TABLE cat_perm (
`cid` int NOT NULL default 0,
`gid` int NOT NULL default 0,
PRIMARY KEY (cid,gid)
) TYPE=MyISAM ;
CREATE TABLE item (
`id` int NOT NULL default 0,
`cid` int NOT NULL default 0,
`name` varchar(255) NOT NULL default '',
PRIMARY KEY (id),
KEY (cid)
) TYPE=MyISAM ;
SELECT item.* FROM item LEFT JOIN cat_perm ON cat_perm.cid=item.cid WHERE cat_perm.gid=1;
SELECT cid FROM cat_perm WHERE gid=1;
SELECT * FROM item WHERE cid IN (cid list);
It is non-sense to check "Time-out error" or "Ticket" error in Wiki editing.
These checks make users much impatience.
The "rerversibility" is the most important to think about "anti-CSRF".
If a web application has a reversibility in editing, it is not necessary to add Ticket nor Referer checking in transaction stage for posting.
Wiki is a well-desinged application from this point of view.
We should design applications with reversibilities as possible.
This is a summary of discussion with ELF about escaping string for SQL.
I recommmend addslashes()
(A) performance
(B) compatibility with environments of magic_quotes_gpc=on
(C) reverse function exists
(D) DB connection free
ELF recommend *_escape_string()
(1) clear the purpose
(2) searchable by grep, replacable by sed, easily
(3) can follow to change DB engine's spec
I think it stands to reason all of (1)(2)(3).