|
|
Posted by Stefan Rybacki on 11/18/05 12:21
www.douglassdavis.com wrote:
> I have an idea for preventing sql injection attacks, however it would
> have to be implemented by the database vendor. Let me know if I am on
> the right track, this totally off base, or already implemented
> somewhere...
>
> Lets say you could have a format string such as in printf
>
> $format=" SELECT %s FROM %s WHERE id='%s' ";
> $fieldname="last_name";
> $tablename="personel";
> $id="425";
>
> and you could execute a query like
>
> mysql_query_formatted($format, $fieldname, $tablename, $id);
I know them as prepared statements and they are looking like this:
INSERT INTO table (attr1,attr2,...,attrN) VALUES (?,?,?,?,?,...,?)
And they are filled like this:
preparedStatement->setString(pos, string) or
preparedStatement->setBoolean(pos, bool) or ...
So the preparedstatement functions handle each type as they have to (e.g. escaping strings
if necessary and adding 's to the start and end)
Regards
Stefan
>...
Navigation:
[Reply to this message]
|