$sql = "insert into $table ($col_list) values ($bind_list)";
Can I just point out that you've just negated the whole reason for having parameters in the first place, imo.
uhm the point of prepared queries is not to eliminate sql injection. thats just an added benefit
$table is just as vulnerable to an SQL injection attack, as any of the parameters where before we had parameter binding.
you are assuming that $table has not bee sanitized, which seems quite unlikely to me that its even going to be a variable controled by user input in the first place.
regards, Lukas
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
