On Thu, Apr 3, 2008 at 9:50 AM, William Temperley
<willtemperley@gmail.com> wrote:
> Hi All
>
> I hope this isn't a FAQ, but does anyone have any suggestions as to
> how to make a query that selects using:
> "where in(<comma delimited list>)"
> secure from an sql injection point of view?
I have an idea, but I can't comment if it is a good idea since I
haven't tried it.
Maybe you can create a temp table for each user, insert the values you
want into the table, and lastly perform a join on your foo table with
the user's temp table. This hopefully would leave anything open for
injection.
When you are done just drop the temp table.
--
Regards,
Richard Broersma Jr.
