| From: | "Nigel J(dot) Andrews" <nandrews(at)investsystems(dot)co(dot)uk> |
|---|---|
| To: | Dennis Gearon <gearond(at)cvc(dot)net> |
| Cc: | Greg Stark <gsstark(at)mit(dot)edu>, pgsql-general(at)postgresql(dot)org, pgsql-interfaces(at)postgresql(dot)org |
| Subject: | Re: More PHP DB abstraction layer stuff |
| Date: | 2003-01-24 19:15:52 |
| Message-ID: | Pine.LNX.4.21.0301241914020.28504-100000@ponder.fairway2k.co.uk |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general pgsql-interfaces |
On Fri, 24 Jan 2003, Dennis Gearon wrote:
> could you elaborate on:
>
> Place holders ( those are in prepared queries, yes?)
> out of band?
>
> 1/24/2003 9:22:42 AM, Greg Stark <gsstark(at)mit(dot)edu> wrote:
>
> >
> >But the best way to deal with this is to use placeholders and prepared queries
> >and provide the data out of band. This completely sidesteps the issue and
> >guarantees you can't get it wrong by mistake ever. Mixing user-provided data
> >with program code is a recipe for security holes.
In perl with DBI:
$sth = $dbh->prepare("SELECT * FROM mytable WHERE id = ?");
$sth->execute($idvalue);
I didn't even know it was possible in PHP. I've never used it before.
--
Nigel J. Andrews
| From | Date | Subject | |
|---|---|---|---|
| Next Message | will trillich | 2003-01-24 19:36:13 | Re: I was spoiled by the MySQL timestamp field |
| Previous Message | Dennis Gearon | 2003-01-24 19:13:53 | Re: More PHP DB abstraction layer stuff |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Greg Stark | 2003-01-24 19:41:37 | Re: More PHP DB abstraction layer stuff |
| Previous Message | Dennis Gearon | 2003-01-24 19:13:53 | Re: More PHP DB abstraction layer stuff |