On May 16, 2015, at 3:51 AM, Lester Caine <lester@xxxxxxxxxxx> wrote: > On 15/05/15 06:21, Karl DeSaulniers wrote: >> Oh ok. Now it makes a little more sense. >> I have worked in ASP before, but I am programming in PHP and MySQL at the moment. >> >> I am going to look into Prepared Statements. Thanks for your feedback. > > Just to clarify things a little here and explain > http://php.net/manual/en/pdo.prepared-statements.php a little more ... > > Many of the legacy injection problems where/are caused by building up > the query as a fully self contained string. Various methods like > 'magic_quotes' and wrapping $var in things like makesafe($var) were the > only way some database engines could handle adding variables to the SQL > string and much code still follows that style even today. Other database > engines have always had the ability to pass the variables as a separate > array of data, and the @x is more normally seen as a simple ? in the SQL > string, so PDO and other frameworks map the ':var' elements of the first > example to the relevant style used by the database. Actually naming > parameters is not the norm, so one has to have the right number of '?' > elements to go with the array of data passed, so PDO is adding a layer > of code which hides the underlying execute(sql_query, array_of_data); > > -- > Lester Caine - G8HFL > ----------------------------- > Contact - http://lsces.co.uk/wiki/?page=contact > L.S.Caine Electronic Services - http://lsces.co.uk > EnquirySolve - http://enquirysolve.com/ > Model Engineers Digital Workshop - http://medw.co.uk > Rainbow Digital Media - http://rainbowdigitalmedia.co.uk Thank you Lester. That does clarify things a bit better on both the @ question and prepared statements. Thank you for the link as well. So new question.. what is the best type of database to use for someone who wants to start small and grow big? My findings led me to MySQL InnoDB. Best, Karl DeSaulniers Design Drumm http://designdrumm.com -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
