Thread: Re: [GENERAL] More PHP DB abstraction layer stuff

Re: [GENERAL] More PHP DB abstraction layer stuff

From
Dennis Gearon
Date:
could you elaborate on:

    Place holders ( those are in prepared queries, yes?)
    out of band?

1/24/2003 9:22:42 AM, Greg Stark <gsstark@mit.edu> wrote:

>
>"Nigel J. Andrews" <nandrews@investsystems.co.uk> writes:
>
>But the best way to deal with this is to use placeholders and prepared queries
>and provide the data out of band. This completely sidesteps the issue and
>guarantees you can't get it wrong by mistake ever. Mixing user-provided data
>with program code is a recipe for security holes.
>
>--
>greg
>
>
>---------------------------(end of broadcast)---------------------------
>TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org
>




Re: [GENERAL] More PHP DB abstraction layer stuff

From
Doug McNaught
Date:
Dennis Gearon <gearond@cvc.net> writes:

> could you elaborate on:
>
>     Place holders ( those are in prepared queries, yes?)
>     out of band?

I think by "out of band" Greg just means substituting values into a
prepared query rather than glomming everything into an SQL string by
yourself.  For example, in Perl DBI you'd do something like:

$stmt = $dbh->prepare("select * from mytable where first_name = ?");
$ret_val = $sth->execute("Fred");   # might come from a web form instead
@row = $sth->fetchrow_array();

The database driver is responsible for turning the '?' in the query
into a properly-quoted and escaped value, or otherwise supplying it to
the database.  The '?' is a placeholder.

-Doug