Posted by Chris Hope on 06/28/07 22:52

Jerry Stuckle wrote:

> Chris Hope wrote:
>> Jerry Stuckle wrote:
>>
>>> Malcolm Dew-Jones wrote:
>>>> jb (jbriere@gmail.com) wrote:
>>>> : Hi all, ive been tasked with reviewing a php app for sql
>>>> : injection vulnerabilities left behind by another developer.
>>>>
>>>> Use bind variables, Some oracle examples to illustrate how
>>
>> [snip]
>>
>>> Bind variables are not necessary is you use mysql_real_escape_string
>>> and otherwise validate your data (i.e. a numeric value is truly
>>> numeric).
>>
>> But using bind variables means you don't need to bother escaping the
>> data, because it's handled for you automatically.
>
> Sure. But then you have to set up the query for binding then bind the
> variables. Extra work over simple SQL, either way.
>
> Don't get me wrong - I'm all for bind variables. I started using them
> with DB2 in the 80's when you had to use bind variables (or go through
> a lot of hoops dynamically preparing statements).
>
> I'm just pointing out that it's not necessary to use them to protect
> against sql injection.

True :)

--
Chris Hope | www.electrictoolbox.com | www.linuxcdmall.com

[Back to original message]