|
|
Posted by Jim Michaels on 11/21/16 11:37
I've not seen this ("statements with value placeholders and provided value
binding functions") using the mysql functions in PHP before. what does it
look like?
"Hilarion" <hilarion@SPAM.op.SMIECI.pl> wrote in message
news:dp4p6j$hd1$1@news.onet.pl...
>>> >> $sql = "UPDATE stories SET writer='$auth_user' , page = '$page',
>>> >> headline
>>> >> = '$headline', story_text = '$story_text', picture = '$filename',
>>> >> modified = '$time', WHERE id = '$story' ";
>>> >>
>>> > Get rid of the comma before WHERE.
>>> >
>>>
>>> Also, if id is a numeric type than you don't really need the single
>>> quotes
>>> around $story. I'm not sure what the implications of assigning a char
>> value
>>> to a numeric type is.
>>>
>>>
>>
>> argghh! Don't teach him bad habits! Any time a non-constant value
>> (read:
>> variable) is used inside a query string, the single quotes should be
>> there.
>
> No, they should not. One should avoid using dynamic SQL statements if
> possible
> and use statements with value placeholders and provided value binding
> functions.
> If it's not possible and the value has to be placed in the SQL statemet
> text,
> then it should use the DB type of the value when possible. This means that
> numeric values should NOT use single quotes (or any other quotes). To
> avoid
> SQL injection all values (not only those without quotes) should be
> properly
> validated and/or escaped.
> No single quote is going to protect anyone from SQL injection attacks.
>
>
>> Both PostgreSQL and MySQL gracefully convert numbers to text and
>> vice-versa
>> when quoted.
>
> Yes, when they know they should (which is not always true), but the
> sonversion
> can be environment dependant (eg. decimal point), so one should not rely
> on such implicit conversions.
>
>
> Hilarion
Navigation:
[Reply to this message]
|