> From: Ian Harisay <[EMAIL PROTECTED]> > > James H. McCullars [mailto:[EMAIL PROTECTED] wrote: > > So I need to make sure that if I do something like the standard: > > > > $sth = $dbh->prepare("INSERT INTO table(foo,bar,baz) VALUES > > (?,?,?)"); > > > > and use the contents of the "Subject:" line as a value, some spammer > > couldn't put SQL code in the subject and have it interpreted. Something > > like: > > > > Subject: Increase your money; "hello; use mysql; drop table users;" > > > > or something to that effect. Would someone be able to do this, and > > if so, how would I guard against it? Thanks... > > The fact that you're using placeholders will prevent an SQL > injection attack from happening. You're good to go.
Unless of course the statement is a stored procedure call and the stored procedure uses some ad-hoc SQL inside. In which case the procedure should handle the escaping, but you sill have to take that into account. Jenda ===== [EMAIL PROTECTED] === http://Jenda.Krynicky.cz ===== When it comes to wine, women and song, wizards are allowed to get drunk and croon as much as they like. -- Terry Pratchett in Sourcery
