On Fri, 24 Jan 2003, Dennis Gearon wrote:
> could you elaborate on:
>
> Place holders ( those are in prepared queries, yes?)
> out of band?
>
> 1/24/2003 9:22:42 AM, Greg Stark <gsstark@mit.edu> wrote:
>
> >
> >But the best way to deal with this is to use placeholders and prepared queries
> >and provide the data out of band. This completely sidesteps the issue and
> >guarantees you can't get it wrong by mistake ever. Mixing user-provided data
> >with program code is a recipe for security holes.
In perl with DBI:
$sth = $dbh->prepare("SELECT * FROM mytable WHERE id = ?");
$sth->execute($idvalue);
I didn't even know it was possible in PHP. I've never used it before.
--
Nigel J. Andrews