--- Michael Rasmussen <[EMAIL PROTECTED]> wrote: > The idea is exactly not to do any queries dynamically generated based > on user input!
This argument still makes no sense to me. Originally, you stated that a better option to filtering and escaping data was to use a prepared statement. Some of us have decided that you are referring to stored procedures. You still have yet to defend your original statement in my mind. If there is no foreign data of any kind in a query, it doesn't really matter how the query is processed. For every other case (not as rare as you seem to think), data filtering is a must. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
