On Tue, 23 Mar 2004 08:25:32 -0800, Pablo Gosse wrote: > > A RARE case, in the world of web applications??? Hardly!!!!! > > I agree that in an optimal situation queries will not be based on user > input, but in the world of the web this is a pipe dream. In 99.99% of the > cases there will be some dynamic element to a query. The only safeguard > is to validate the hell out of the data. > I don't know which web applications you develop, but the ones I have be developing the last 10 years all user interaction was done thrue forms where users where asked specific question, and the input to these specific questions where used as input in prepared statements. Eg. "select tuple1.table1, tuple1.table2, tuple3.table1 from table1, table2 where tuple1.table1 = tuple1.table2 and tuple1.table1=? and tuple3.table3>?" and so forth.
In any case the users input where to be used in queries defined by the design of the application! I think you have misunderstod the concepts of making queries based on user input. It is not the users who should create the query, all to should do is provide the input to narrow down the queries. -- Hilsen/Regards Michael Rasmussen -------------------------------------------------------------- Beauty and harmony are as necessary to you as the very breath of life. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
