Posted by Stefan Rybacki on 11/18/05 12:21

www.douglassdavis.com wrote:
> I have an idea for preventing sql injection attacks, however it would
> have to be implemented by the database vendor. Let me know if I am on
> the right track, this totally off base, or already implemented
> somewhere...
>
> Lets say you could have a format string such as in printf
>
> $format=" SELECT %s FROM %s WHERE id='%s' ";
> $fieldname="last_name";
> $tablename="personel";
> $id="425";
>
> and you could execute a query like
>
> mysql_query_formatted($format, $fieldname, $tablename, $id);

I know them as prepared statements and they are looking like this:

INSERT INTO table (attr1,attr2,...,attrN) VALUES (?,?,?,?,?,...,?)

And they are filled like this:

preparedStatement->setString(pos, string) or
preparedStatement->setBoolean(pos, bool) or ...

So the preparedstatement functions handle each type as they have to (e.g. escaping strings
if necessary and adding 's to the start and end)

Regards
Stefan

>...

[Back to original message]