Re: [Full-Disclosure] Question: is this exploitable?

[Jonathan A. Zdziarski]

Eh? How does this prevent a sql injection exploit?  Placeholders (as was
previously suggested) are really the only way to accomplish that.

> $query=sprintf("insert into projects values(null,%s)",dbh->quote($project));
> $sth = $dbh->prepare($query);


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html