On Aug 23, 2007, at 1:31 AM, Tracy R Reed wrote:
Then I thought about prepared statements and parameterized queries.
I *think* these are the same thing really, but I'm not sure. Does
anyone know?
I don't think they're exactly the same. In Java, the only way to do
parameterized queries is *using* prepared statements, but I think
they're different. Prepared statements implies that the query is pre-
compiled into something that the DB can understand, you take a hit up
front (probably when the class loads?) and then the query runs a bit
faster. Parameterized statements simply implies leaving variables in
your sql that get filled in later.
All of that said, I'm not sure that parameterized statements nor
prepared statements really fix SQL injection attacks. Consider :
SELECT * FROM users WHERE name = ?;
now, imagine that the input name is :
Fred; DELETE * FROM users
So the short version is -- make sure whatever library you use to do
parameterized statements does a good job of cleaning the input. If I
knew PHP I might have a suggestion, but I don't, so I don't.
Good luck!
-Matt
We will be wanting to implement this in PHP5. It seems like the
only way to get prepared statements with PHP5 is to use the PDO
module.
Anyone know of a better way to do this? I did some PHP between 1998
and 2000 and haven't touched it since so I am way out of date on PHP.
--
Tracy R Reed Read my blog at http://ultraviolet.org
Key fingerprint = D4A8 4860 535C ABF8 BA97 25A6 F4F2 1829 9615 02AD
Non-GPG signed mail gets read only if I can find it among the spam.
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-lpsg
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-lpsg
