> Am 25.03.2005 um 14:36 schrieb Jared Williams: > > Can I just point out that you've just negated the whole reason for > > having parameters in the first place, imo. > > huh? just 'cuase you dislike my php-code you question the > "value" of bind alltogether? > > > > > $table is just as vulnerable to an SQL injection attack, as > any of the > > parameters where before we had parameter binding. > > > > a) there's no real way to bind table-names or column-names.
I know, I put in request that was rejected http://pecl.php.net/bugs/bug.php?id=3442 > b) binding is not only good against sql-injection but also > for speed (if the driver supports native-bind). Security is far far more important than speed. Plus you've already throw away the speed by building the SQL on fly, so its probably slower than building the SQL with the values embedded. > c) i (personally) would usually not pass unchecked user-data > for table or column-names. Perhaps not, but someone else may follow your example. Jared -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
