>> Logically, it does _not_ mean the same thing. > > Definitely not -- it would be a bit presumptuous to claim "If you do > X, the query is not vulnerable to SQL injection attacks" for just > about any value of X. > That is what I though: no magic bullet. > That said, I would recommend binding parameters if you can. It's a > cleaner way of separating the logic of a query from its data, and > theoretically more reliable than mysql_real_escape_string(): > > http://en.wikipedia.org/wiki/SQL_injection#Parameterized_statements > I fail to understand what is happening here. For the sake of context, here is the PHP code in TFA: $db = new PDO('pgsql:dbname=database'); $stmt = $db->prepare("SELECT priv FROM testUsers WHERE username=:username AND password=:password"); $stmt->bindParam(':username', $user); $stmt->bindParam(':password', $pass); $stmt->execute(); What exactly does bindParam do? I read these pages in TFM but I still do not understand what exactly is being sent to the database: http://il2.php.net/manual/en/function.db2-bind-param.php http://il2.php.net/manual/en/function.maxdb-stmt-bind-param.php http://il2.php.net/manual/en/mysqli-stmt.bind-param.php I do not see how there could possibly be a prepared statement for a user comment. I am not a programmer by trade, so I may be missing something obvious. If so, a link and a friendly RTFM would be great. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
