Am 25.03.2005 um 14:36 schrieb Jared Williams:
Can I just point out that you've just negated the whole reason for having parameters in the first place, imo.
huh? just 'cuase you dislike my php-code you question the "value" of bind alltogether?
$table is just as vulnerable to an SQL injection attack, as any of the parameters where before we had parameter binding.
a) there's no real way to bind table-names or column-names.
b) binding is not only good against sql-injection but also for speed (if the driver supports native-bind).
c) i (personally) would usually not pass unchecked user-data for table or column-names.
tc
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
