Am 25.03.2005 um 14:36 schrieb Jared Williams:
Can I just point out that you've just negated the whole reason for having parameters in the first place, imo.
huh? just 'cuase you dislike my php-code you question the "value" of bind alltogether?
$table is just as vulnerable to an SQL injection attack, as
any of the
parameters where before we had parameter binding.
a) there's no real way to bind table-names or column-names.
I know, I put in request that was rejected http://pecl.php.net/bugs/bug.php?id=3442
this is on a different piece of paper.
b) binding is not only good against sql-injection but also for speed (if the driver supports native-bind).
Security is far far more important than speed. Plus you've already throw away the speed by building the SQL on fly,
so its probably slower than building the SQL with the values embedded.
blablabla... with oracle for example you will see a _massive_ speed gain when you have repetetive sql and you use bound variables.
c) i (personally) would usually not pass unchecked user-data for table or column-names.
Perhaps not, but someone else may follow your example.
have you read my code?
$db->insert('some_table', array('name' => $name, 'age' => $age));if you follow my example you are safe!
jared, i fail to understand your "contribution" to the real subject ("do we need a colon in from of every bound variable or not").
re, tc
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
