Re: SQL injection, php and queueing multiple statement

Ivan Sergio Borgonovo <mail@webthatworks.it> writes:
> Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> Use prepared statements.

> Yeah... but how can I effectively enforce the policy that ALL input
> will be passed through prepared statements?

Modify the PHP code (at whatever corresponds to the DBD layer)
to always use PQexecParams, never PQexec, even when you don't
have any parameters.

            regards, tom lane