On 6/17/07, PFC <[EMAIL PROTECTED]> wrote:
I either use pg_query_params() which automagically handles all quoting,
or an ORM which does the same.
There is no reason to include strings in SQL statements except laziness.
MySQL does not have a mysql_query_params() for PHP, so you have to write
one, it's pretty simple.
Take your pick:
- Quotemeta
- Addslashes
- Htmlentities($string, 'utf-8')
- Magic_quotes in the INI
- Anti-XSS code (several available online)
Python's (and perl) strength in this respect is that they make it easier
to use the safe solution, ie, query( "sql with ? or $1 or %s", arg, arg, arg )
$sql = '"select column from table where field = '%s';
$sql = sprintf($sql, $submittedvariable);
..
PEAR::DB is horrendous.
And hugely unnecessary.
EP
---------------------------(end of broadcast)---------------------------
TIP 9: In versions below 8.0, the planner will ignore your desire to
choose an index scan if your joining column's datatypes do not
match
