Re: [PHP-DB] to ora_bind or not to ora_bind

Wed, 03 Apr 2002 05:11:02 -0800 

The net result is almost the same with the exception that by using
ora_bind you don't have to worry about 'SQL Injection' techniques that
could compromise your site. If you construct the DML statement in one
big string, double check that you have escaped or otherwise nullified
'undesireable' charactes such as ["';,] etc.

-Stathis.

Christian Schneider wrote:
> 
> Hi,
> 
> sorry to post just after subscribing but I didn't find anything in the faqs.
> 
> I have to port an Oracle-based system to MySQL and am now investigating
> how to get rid of the Oracle specialities. I neither wrote the system
> nor do I fully understand how it's working yet, so I might miss something.
> 
> The biggest trouble spot seems to be the use of the ora_bind functions
> as in the following example:
> 
> $e = db_parse ($curs, "insert into usercomments values
> "."(:pkey,:pser,:pnam,:pema,:pdat,:ptxt,:psub,:pref) ")
> 
> if ( ! $e ):
>        $err = "Error in insert statement!";
>        $errn = $curs;
>     else:
>        db_bind ($curs, "param_key", ":pkey", 6, 1);
>        db_bind ($curs, "param_ser", ":pser", 16, 1);
>        db_bind ($curs, "param_nam", ":pnam", 128, 1);
>        db_bind ($curs, "param_ema", ":pema", 128, 1);
>        db_bind ($curs, "param_dat", ":pdat", 64, 1);
>        db_bind ($curs, "param_txt", ":ptxt", 1024, 1);
>        db_bind ($curs, "param_sub", ":psub", 128, 1);
>        db_bind ($curs, "param_ref", ":pref", 16, 1);
>        if (!db_exec ($curs)):
>           $err = "Could not execute insert statement, sorry!";
>           $errn = $curs;
>        else:
>        endif;
>     endif;
> 
> The problem is that I don't really see what the use of the ora_bind is
> here. Is there anything that would forbid the port to:
> 
> mysql_query("insert into usercomments values( $param_key, $param_ser,
> ..., $param_ref)");
> 
> Or am I missing something substantial here?
> 
> Thanks a lot,
> 
> Christian
> --
> Christian Schneider <[EMAIL PROTECTED]>
> 
> Zentrum f&oacgr;r Angewandte Informatik --.. .- .. -.-
> Universit&dgr;tsweiter Service .-. .-. --.. -.-
> 
> + Universit&dgr;t zu K&phgr;ln + Robert-Koch-Str. 10 + D-50931 K&phgr;ln
> + Tel. +49 221 478 7021 +
> 
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to