Rick Funderburg wrote:
Clever people can anticipate your straight forward approach and add an
extra backslash into their injection so that the resulting sql escapes
your backslash rather than the quote.
Wouldn't it escape the backslash AND the quote?
Anyway, I agree with those who say that escaping isn't the right way to
go. I think for my purposes that prepared statements and parameterized
queries are the same thing and that is the way I am going to go. It is
hard to tell if you have remembered to properly escape everything. It is
easy to spot a parameterized query vs a non. Parameterization does seem
to guarantee that you will not fall victim to any sql injection attacks.
--
Tracy R Reed Read my blog at http://ultraviolet.org
Key fingerprint = D4A8 4860 535C ABF8 BA97 25A6 F4F2 1829 9615 02AD
Non-GPG signed mail gets read only if I can find it among the spam.
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-lpsg
