Posted by Jerry Stuckle on 06/28/07 22:50

Chris Hope wrote:
> Jerry Stuckle wrote:
>
>> Malcolm Dew-Jones wrote:
>>> jb (jbriere@gmail.com) wrote:
>>> : Hi all, ive been tasked with reviewing a php app for sql injection
>>> : vulnerabilities left behind by another developer.
>>>
>>> Use bind variables, Some oracle examples to illustrate how
>
> [snip]
>
>> Bind variables are not necessary is you use mysql_real_escape_string
>> and otherwise validate your data (i.e. a numeric value is truly
>> numeric).
>
> But using bind variables means you don't need to bother escaping the
> data, because it's handled for you automatically.
>

Sure. But then you have to set up the query for binding then bind the
variables. Extra work over simple SQL, either way.

Don't get me wrong - I'm all for bind variables. I started using them
with DB2 in the 80's when you had to use bind variables (or go through a
lot of hoops dynamically preparing statements).

I'm just pointing out that it's not necessary to use them to protect
against sql injection.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

• Next in forum: Re: Question re: sql injection
• Prev in forum: Custom PHP UI Components?
• Thread view: Re: Question re: sql injection

[Reply to this message]