Gordon Messmer wrote: > Peter Burden wrote: >> It may be worth using the MySQL function mysql_real_escape_string() which >> should handle anything that could cause problems. Programmatically this >> would be much less effort than using prepared statements which require a >> considerable amount of coding. > > I think you've missed the point of this whole thread: string escaping is > error-prone (particularly with respect to memory) and unnecessarily > complex. If you've looked at the authmysql driver, you'd see that *not* > using prepared statements requires "a considerable amount of coding".
That statement is not exact. I think Peter meant that using the library escape function provides for the minimal amount of coding, which is correct. > Prepared statements are the best way to avoid injection attacks, > simplify code, and (usually) get the best performance possible. I agree on the first point. Not quite on remaining two ones: IME the code for prepared statements is more complex (in terms of LOCs) and the performance increase (2x) is negligible. ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone _______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
