|
|
Posted by Malcolm Dew-Jones on 11/04/05 20:15
Justin Koivisto (justin@koivi.com) wrote:
: Malcolm Dew-Jones wrote:
: > Chung Leong (chernyshevsky@hotmail.com) wrote:
: > : Malcolm Dew-Jones wrote:
: > : > Definitely correct, but escaping is not the same as using intval to force
: > : > something into a number. Escaping is the mechanism to ensure that the
: > : > database (or whatever) sees and stores the original data in its original
: > : > format.
: >
: > : Well, how else do you safely insert an integer into a SQL statement?
: >
: > insert into Tbl (my_col) values (?)
: >
: > and then bind the statement to the value.
: This looks like something specific to a db abstraction layer like
: PEAR::DB - I don't believe that RDBMS databases support this on their
: own. (At least I haven't come across it yet.)
Some do support this natively. The cut of point appears to be the cost -
as they say, you sometimes get what you pay for.
According to a google search, a few example databases
Oracle DB2 Interbase Sybase MS-SQL
have bind variables built in (I am familiar with Oracle, it has "always"
had them).
mSQL, MySQL, PostgreSSQL
do not have them built in, but I wonder if the page was old because I
thought that PostgreSSQL did have them (but I don't use it so what do I
know).
Even things like MS Access have built in support for expressions in
statements that could be called bind variables.
--
This programmer available for rent.
Navigation:
[Reply to this message]
|