Posted by gosha bine on 06/29/07 08:10

On 29.06.2007 00:50 Jerry Stuckle wrote:
> Chris Hope wrote:
>> Jerry Stuckle wrote:
>>
>>> Malcolm Dew-Jones wrote:
>>>> jb (jbriere@gmail.com) wrote:
>>>> : Hi all, ive been tasked with reviewing a php app for sql injection
>>>> : vulnerabilities left behind by another developer.
>>>>
>>>> Use bind variables, Some oracle examples to illustrate how
>>
>> [snip]
>>
>>> Bind variables are not necessary is you use mysql_real_escape_string
>>> and otherwise validate your data (i.e. a numeric value is truly
>>> numeric).
>>
>> But using bind variables means you don't need to bother escaping the
>> data, because it's handled for you automatically.
>>
>
> Sure. But then you have to set up the query for binding then bind the
> variables. Extra work over simple SQL, either way.
>
> Don't get me wrong - I'm all for bind variables. I started using them
> with DB2 in the 80's when you had to use bind variables (or go through a
> lot of hoops dynamically preparing statements).
>
> I'm just pointing out that it's not necessary to use them to protect
> against sql injection.
>

It might be interesting for you to have a look at this blog post

http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html


--
gosha bine

extended php parser ~ http://code.google.com/p/pihipi
blok ~ http://www.tagarga.com/blok

[Back to original message]