Oops, There are several language mistakes in previous mail, but this should be noted.
Prepared query is not a perfect SQL injection countermeasure as it never escape nor parameterize identifiers/SQL literals. should be Prepared query is not a perfect SQL injection countermeasure as it never escape nor parameterize identifiers/SQL statements (e.g. ORDER BY ASC/DESC, etc). I've seen ASC/DESC as a parameter in a prepared query. It should be validated if they are user inputs. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net 2012/4/11 Yasuo Ohgaki <yohg...@ohgaki.net>: > Prepared query is not a perfect > SQL injection countermeasure as it never escape nor > parameterize identifiers/SQL literals. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
