On 6/17/07, PFC <lists@peufeu.com> wrote:
> I either use pg_query_params() which automagically handles all quoting,
> or an ORM which does the same.
> There is no reason to include strings in SQL statements except laziness.
> MySQL does not have a mysql_query_params() for PHP, so you have to write
> one, it's pretty simple.
Take your pick:
- Quotemeta
- Addslashes
- Htmlentities($string, 'utf-8')
- Magic_quotes in the INI
- Anti-XSS code (several available online)
> Python's (and perl) strength in this respect is that they make it easier
> to use the safe solution, ie, query( "sql with ? or $1 or %s", arg, arg, arg )
$sql = '"select column from table where field = '%s';
$sql = sprintf($sql, $submittedvariable);
..
> PEAR::DB is horrendous.
>
And hugely unnecessary.
EP