_____
From: Brian Moon [mailto:[EMAIL PROTECTED] We really need to stop spreading this myth that prepared statements are a security measure. Prepared statements only allow passing of the value parts of where clauses and a couple of other parts of the query. Limit values would be the most common thing in a query that use variables but are the not allowed to be prepared. I have also seen plenty of applications that use variables for the table names, field names, order by, and other parts. Prepared statements help with none of those. Prepared statements protect very little against sql injection. Making people believe otherwise is dangerous. Is what i say about security guide is to speak about how to correctly program... And using prepare statement to pass variable by binding variable is simple good programming (and must be used with many other good practice...input check...) And effectively is the variable binding and not the prepare statement that add real security again sql injection... but actualy i've not seen sql variable binding without prepare statement...is why all speak about prepare statement and not variable binding... And generating dynamic (and no variable binding) sql statement in general is not good for performance... because that add cpu and sgbd sql cache consuming... and also for security again sql injection like you say... But using input DIRECTLY for generate sql statement FROM table name... i think is design miss fit... You can developpe protection systeme as you can but without reel developer education... I thing 70% of the security risk can be covered with a good communication... and the rest by the technique... And finaly you connot cover 100% of the risk...but is the problem of all computer system... But is my think about that... why not construct wiki/portal site structured on the different aspect of good secured php programing ? with forum !? Best Regards, Mathieu
