Thread: Re: [GENERAL] More PHP DB abstraction layer stuff
could you elaborate on: Place holders ( those are in prepared queries, yes?) out of band? 1/24/2003 9:22:42 AM, Greg Stark <gsstark@mit.edu> wrote: > >"Nigel J. Andrews" <nandrews@investsystems.co.uk> writes: > >But the best way to deal with this is to use placeholders and prepared queries >and provide the data out of band. This completely sidesteps the issue and >guarantees you can't get it wrong by mistake ever. Mixing user-provided data >with program code is a recipe for security holes. > >-- >greg > > >---------------------------(end of broadcast)--------------------------- >TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org >
Dennis Gearon <gearond@cvc.net> writes: > could you elaborate on: > > Place holders ( those are in prepared queries, yes?) > out of band? I think by "out of band" Greg just means substituting values into a prepared query rather than glomming everything into an SQL string by yourself. For example, in Perl DBI you'd do something like: $stmt = $dbh->prepare("select * from mytable where first_name = ?"); $ret_val = $sth->execute("Fred"); # might come from a web form instead @row = $sth->fetchrow_array(); The database driver is responsible for turning the '?' in the query into a properly-quoted and escaped value, or otherwise supplying it to the database. The '?' is a placeholder. -Doug