Home > mailing lists

Re: More PHP DB abstraction layer stuff - Mailing list pgsql-general

From	Nigel J. Andrews
Subject	Re: More PHP DB abstraction layer stuff
Date	January 24, 2003 17:54:27
Msg-id	Pine.LNX.4.21.0301241914020.28504-100000@ponder.fairway2k.co.uk Whole thread Raw
In response to	Re: More PHP DB abstraction layer stuff (Dennis Gearon <gearond@cvc.net>)
Responses	Re: More PHP DB abstraction layer stuff
List	pgsql-general

Tree view


On Fri, 24 Jan 2003, Dennis Gearon wrote:

> could you elaborate on:
>
>     Place holders ( those are in prepared queries, yes?)
>     out of band?
>
> 1/24/2003 9:22:42 AM, Greg Stark <gsstark@mit.edu> wrote:
>
> >
> >But the best way to deal with this is to use placeholders and prepared queries
> >and provide the data out of band. This completely sidesteps the issue and
> >guarantees you can't get it wrong by mistake ever. Mixing user-provided data
> >with program code is a recipe for security holes.

In perl with DBI:

$sth = $dbh->prepare("SELECT * FROM mytable WHERE id = ?");
$sth->execute($idvalue);

I didn't even know it was possible in PHP. I've never used it before.


--
Nigel J. Andrews

pgsql-general by date:

From: Dennis Gearon
Date: 24 January 2003, 17:47:36
Subject: Re: More PHP DB abstraction layer stuff

From: will trillich
Date: 24 January 2003, 18:08:45
Subject: Re: I was spoiled by the MySQL timestamp field

Re: More PHP DB abstraction layer stuff - Mailing list pgsql-general

Previous

Next