Hey Lester, On 4/11/12 3:29 AM, Lester Caine wrote:
That is almost archaic it's self ... It should be replaced with a pointer to using parameters ( no we do not need 'prepared statements', just parameters ). One of the first things I implement on any code that I'm porting. Does away with any agro over escaping strings and is totally save 'injection' wise.
While I generally agree, 'just parameters' does have it's limitations. Sometimes there are special character sequences that can be exploited to escape out of a quoted value in a SQL string.
Offhand, this comes to mind about MySQL: http://bugs.mysql.com/bug.php?id=8378 -ralph -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
