>> Ah, but what if I use sqlite or postgres?
> Or Firebird ;)
>> IMHO, the discussion needs to be a the best way to prevent SQL injection
>> all possible DB types. Not just mysql.
> The main thing to avoid is building queries from elements that are directly
> loaded from the form inputs. While it is difficult to build sort elements for
> queries that use parameters, having a mechanism like ADOdb's datadict where
> one can filter SQL based on the identified field names does make life easier.
> While the problems of dealing with student names such as 'Delete from
> student' are easily solved by only using them in parameter arrays.
> A few simple basics cover the vast majority of traditional SQL injection
Part of why I even asked is to get a sense of the shelf life on legacy code
(that relies on escaping) which I am not keen to have to re-write, for free,
until I really must.
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php