Posted by ATK on 05/23/05 01:24

Thanks for your reply, i still have some questions:

Andy Hassall wrote:

>> $sql = "INSERT INTO fotos (id_foto, id_cat, id_m, fotos, avg,
>>total, foto_type) VALUES (fotografias_id.nextval, 1, $id, '$date', '0',
>>'0', '$foto_type')";
>
>
> Eep. Use placeholders/bind variables. Do not embed variables into SQL -
> _particularly_ under Oracle.
>
> Asides from the security issues due to escaping (addslashes() does NOT escape
> strings as required by Oracle), it also results in masses of "hard parsing",
> also the maximum length of a literal string is 4000 characters so your file
> won't work, and also you're subjecting binary data to character set conversions
> potentially resulting in more corruption.
>

If addslashes is not enough, what should i use?

What do you mean "Placeholders/bind variables", can you show some
links/code examples, and let me remember that i can only use ODBC
functions, not oracle extension functions...


Thanks again

[Back to original message]