Re: MySql Injection advice

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Eddie Drapkin wrote:
Things I have used prepared statements for:
1. SELECT
2. UPDATE
3. INSERT
4. DELETE
5. Stored procedures

Things I am aware of that prepared statements are not capable of doing:

What have you read that prepared statements can't do?  I've not heard
of anything, nor have I encountered anything, myself.  And given that
I am prone to making errors, I like the fact that my work flow
prevents a mistake I make leading to an unnoticed vulnerability.

There was some stuff specified in the MySQL documentation.

I *think* for example selection data resulting from a union of two tables with the AS TABLE modifier. I might be wrong about that.

It was nothing I frequently do.

I do have one really ugly query that does joins of one table and another table that actually is a union of two tables - but that particular query does not use any user provided data (it's part of my range map generation script) so I don't use prepared statements with it anyway.

There's actually a bug in it (my huge query) though not significant, I'm planning to just break it up into several smaller queries and use php to do the hard work since that's easier to read and performance isn't an issue (run by server twice a month to generate a png image, never run by user).

But yeah - the stuff in the documentation where prepared statements don't work is pretty obscure stuff.

I believe MDB2 simulates prepared statements for databases without native prepared statements anyway.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux