Reply to Re: return multiple rows from sql statement — PHP Programming Language

Posted by Jan Thomä on 08/30/07 13:11

Jerry Stuckle wrote:
> Jan Thomä wrote:
>> I always use the placeholder notation for doing SQL. Concatening SQL
>> strings from input values is almost certainly a safe path to SQL
>> injection.
>
> Not if you properly cleanse your input. Ensure numeric values are
> really numeric, and string values are processed through
> mysql_real_escape_string(), for instance.

Thanks for the input, and yes I agree, you should definitely cleanse your
input before feeding it to the database. My point was simply, that when you
give this kind of work to a framework and always use the ? notation, you
are safe from injection, even if you forget to check a single input
variable (which surely happens from time to time). Also you don't have to
do the conversions to different formats manually, so you save a bit of time
and effort.

Best regards,
Jan

--
_________________________________________________________________________
insOMnia - We never sleep...
http://www.insOMnia-hq.de

[Back to original message]

Удаленная работа для программистов • Как заработать на Google AdSense • England, UK • статьи на английском • PHP MySQL CMS Apache Oscommerce • Online Business Knowledge Base • DVD MP3 AVI MP4 players codecs conversion help

Home • Search • Site Map • Set as Homepage • Add to Favourites

Сайт изготовлен в Студии Валентина Петручека —
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация