Posted by Jerry Stuckle on 08/29/07 18:24

Jan Thomä wrote:
> Good Man wrote:
>> i'll assume this code is here for brevity, and that you're really making
>> sure that your $check variable contains what you're expecting it to (a
>> number).
>>
>> I tend to craft my SQL 'where' statements AFTER checking for variables,
>> assembling them as a string, and appending them to a query.
>
> I always use the placeholder notation for doing SQL. Concatening SQL strings
> from input values is almost certainly a safe path to SQL injection. So what
> i'd do is:
>
> foreach( ... ) {
> $where .= "OR id = ?";
> }
>
> and then use a framework like AdoDB to have them replace the placeholders.
> Saves a lot of time and problems...
>
> Best regards,
> Jan
>
>

Not if you properly cleanse your input. Ensure numeric values are
really numeric, and string values are processed through
mysql_real_escape_string(), for instance.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]