Re: SQL Injection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 15/05/15 06:21, Karl DeSaulniers wrote:
> Oh ok. Now it makes a little more sense. 
> I have worked in ASP before, but I am programming in PHP and MySQL at the moment. 
> 
> I am going to look into Prepared Statements. Thanks for your feedback.

Just to clarify things a little here and explain
http://php.net/manual/en/pdo.prepared-statements.php a little more ...

Many of the legacy injection problems where/are caused by building up
the query as a fully self contained string. Various methods like
'magic_quotes' and wrapping $var in things like makesafe($var) were the
only way some database engines could handle adding variables to the SQL
string and much code still follows that style even today. Other database
engines have always had the ability to pass the variables as a separate
array of data, and the @x is more normally seen as a simple ? in the SQL
string, so PDO and other frameworks map the ':var' elements of the first
example to the relevant style used by the database. Actually naming
parameters is not the norm, so one has to have the right number of '?'
elements to go with the array of data passed, so PDO is adding a layer
of code which hides the underlying execute(sql_query, array_of_data);

-- 
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php





[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux