| From: | "Erick Papadakis" <erick(dot)papa(at)gmail(dot)com> |
|---|---|
| To: | PFC <lists(at)peufeu(dot)com> |
| Cc: | "Ron Johnson" <ron(dot)l(dot)johnson(at)cox(dot)net>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: PHP sucks!! - was: persistent db connections in PHP |
| Date: | 2007-06-16 21:39:32 |
| Message-ID: | e9e8f77d0706161439i796e17bfo2a113a646b6808d7@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On 6/17/07, PFC <lists(at)peufeu(dot)com> wrote:
> I either use pg_query_params() which automagically handles all quoting,
> or an ORM which does the same.
> There is no reason to include strings in SQL statements except laziness.
> MySQL does not have a mysql_query_params() for PHP, so you have to write
> one, it's pretty simple.
Take your pick:
- Quotemeta
- Addslashes
- Htmlentities($string, 'utf-8')
- Magic_quotes in the INI
- Anti-XSS code (several available online)
> Python's (and perl) strength in this respect is that they make it easier
> to use the safe solution, ie, query( "sql with ? or $1 or %s", arg, arg, arg )
$sql = '"select column from table where field = '%s';
$sql = sprintf($sql, $submittedvariable);
..
> PEAR::DB is horrendous.
>
And hugely unnecessary.
EP
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Martijn van Oosterhout | 2007-06-16 21:49:53 | Re: about cursors |
| Previous Message | Erick Papadakis | 2007-06-16 21:34:03 | Re: PHP sucks!! - was: persistent db connections in PHP |