On Fri, Dec 09, 2005 at 06:22:29PM -0700, Michael Fuhr wrote:
> On Fri, Dec 09, 2005 at 01:54:13PM -0800, operationsengineer1@yahoo.com wrote:
> > do i need to quote input even though i'm using bind
> > variables in my queries?
> >
> > i seem to think that quoting on entry and unquoting on
> > return was a method for fighting sql injection, but
> > i'm also thinking that bind variables may make that
> > step meaningless.
>
> Using placeholders should eliminate the need to quote, either by
> quoting for you or by using the underlying protocol's mechanism for
> parameterized queries.
I might have misunderstood what you meant by "bind variables."
Could you explain exactly what you're doing?
--
Michael Fuhr