On May 2, 2008, at 8:00 AM, Jason Pruim wrote:
On May 1, 2008, at 8:31 PM, Chris wrote:
PS... Was it you, Jason, or someone else who asked about the
security
of the community knowing their database structure and I
encouraged the
use of `backticks` around all field and table names?
Yeah it was me... Old habits die hard :) I'm working on converting
everything :)
A little caveat with that:
1) it's mysql specific
Currently the system is just running on my server, and probably
always will... so I'm not too worried about it being mysql specific.
So is the query (mysql-specific). If you change to another *SQL, then
you'll probably have to change the query anyway, so the backticks are
not the biggest issue and they'll help you in the meantime.
2) I can disable you using backticks
http://www.php.net/manual/en/language.operators.execution.php
I'll have to take a look at that and see what it says in a little bit.
As you mentioned Chris, the backticks are in a string, so there's not
a security risk in this method.
~Philip
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
