>> Logically, it does _not_ mean the same thing.
> Definitely not -- it would be a bit presumptuous to claim "If you do
> X, the query is not vulnerable to SQL injection attacks" for just
> about any value of X.

That is what I though: no magic bullet.

> That said, I would recommend binding parameters if you can. It's a
> cleaner way of separating the logic of a query from its data, and
> theoretically more reliable than mysql_real_escape_string():
> http://en.wikipedia.org/wiki/SQL_injection#Parameterized_statements

I fail to understand what is happening here. For the sake of context,
here is the PHP code in TFA:
$db = new PDO('pgsql:dbname=database');
$stmt = $db->prepare("SELECT priv FROM testUsers WHERE
username=:username AND password=:password");
$stmt->bindParam(':username', $user);
$stmt->bindParam(':password', $pass);

What exactly does bindParam do? I read these pages in TFM but I still
do not understand what exactly is being sent to the database:

I do not see how there could possibly be a prepared statement for a
user comment. I am not a programmer by trade, so I may be missing
something obvious. If so, a link and a friendly RTFM would be great.

Dotan Cohen


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to