On Tue, Nov 01, 2005 at 08:57:04AM -0500 I heard the voice of Tom Lane, and lo! it spake thus: > > If you rely on applying an escaping function then it's pretty easy > to forget it in one or two places, and it only takes one hole to be > vulnerable :-(. The trick is to make it a religious ritual. I escape things into _q variables: $name = $_REQUEST['name']; $name_q = db_quote($name); And have myself thoroughly trained to ONLY use _q variables in building queries. Of course, once in a while, I forget to _create_ the _q version before using it, but then I get a nice loud error message castigating me for it. I often (not consistently) create _q variables even for known-good strings and such that I hardcode into the program. It could well be that using prepared statements is by various metrics a "better" way to go about things. But I'm far too lazy to try and reprogram my fingers ;-) -- Matthew Fuller (MF4839) | fullermd@xxxxxxxxxxxxxxx Systems/Network Administrator | http://www.over-yonder.net/~fullermd/ On the Internet, nobody can hear you scream. ---------------------------(end of broadcast)--------------------------- TIP 9: In versions below 8.0, the planner will ignore your desire to choose an index scan if your joining column's datatypes do not match
