Posted by Jan Thomä on 08/30/07 13:11

Jerry Stuckle wrote:
> Jan Thomä wrote:
>> I always use the placeholder notation for doing SQL. Concatening SQL
>> strings from input values is almost certainly a safe path to SQL
>> injection.
>
> Not if you properly cleanse your input. Ensure numeric values are
> really numeric, and string values are processed through
> mysql_real_escape_string(), for instance.

Thanks for the input, and yes I agree, you should definitely cleanse your
input before feeding it to the database. My point was simply, that when you
give this kind of work to a framework and always use the ? notation, you
are safe from injection, even if you forget to check a single input
variable (which surely happens from time to time). Also you don't have to
do the conversions to different formats manually, so you save a bit of time
and effort.

Best regards,
Jan

--
_________________________________________________________________________
insOMnia - We never sleep...
http://www.insOMnia-hq.de

• Next in forum: jpeg image decompiling
• Prev in forum: Re: Is this possible?
• Thread view: Re: return multiple rows from sql statement

[Reply to this message]