> From: Jochem Maas [mailto:jochem@xxxxxxxxxxxxx] > Sent: Fri 26/05/2006 15:54 > > Brad Bonkoski wrote: > > All... > > A lot has been said recently about the dangers of the family of > > magic_quotes... > > I understand the dangers. > > The question is, for those of us using a database that does not have a > > *real_escape_string function...Oracle for example. > > What is the *best* way to escape quotes for DB insertion? > > looking at the manual I would assume that ora_bind() is the best way of safely > stuffing things into an oracle DB: > > http://php.net/manual/en/function.ora-bind.php Whoa, that is waaaay out of date - the ora_ functions have been deprecated as long as I've been using PHP, which is several years now! You should be using the OCI extension, and oci_bind_by_name(). > if this function is of any worth it *should* be doing any/all proper escaping of > data 'under water' and hopefully much more thoroughly/correctly than anything you/we > could do in userland. > > <remark type="biased"> > of course you could use firebird DB (php5 interbase extension) and just make use of > the built in parameterized query functionality - which is simple to use, doesn't > require endless reams of parameter binding declaration and is rock solid (i.e. no > matter how crap my input filtering is SQL injection remains impossible ;-)) > </remark> oci_bind_by_name() (and, presumably, ora-bind() before it) *is* Oracle's parameterized query equivalent -- admittedly not quite as elegant, but no escaping required and is "rock solid (i.e. no matter how crap [your] input filtering is SQL injection remains impossible"!). --------------------------------------------------------------------- Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning & Information Services, JG125, James Graham Building, Leeds Metropolitan University, Headingley Campus, LEEDS, LS6 3QS, United Kingdom Email: m.ford@xxxxxxxxxxxxxx Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 To view the terms under which this email is distributed, please go to http://disclaimer.leedsmet.ac.uk/email.htm
