>> Ah, but what if I use sqlite or postgres? > > Or Firebird ;)
good point. >> IMHO, the discussion needs to be a the best way to prevent SQL injection >> across >> all possible DB types. Not just mysql. > > The main thing to avoid is building queries from elements that are directly > loaded from the form inputs. While it is difficult to build sort elements for > queries that use parameters, having a mechanism like ADOdb's datadict where > one can filter SQL based on the identified field names does make life easier. > > While the problems of dealing with student names such as 'Delete from > student' are easily solved by only using them in parameter arrays. > > A few simple basics cover the vast majority of traditional SQL injection > problems? Yes, apparently. Part of why I even asked is to get a sense of the shelf life on legacy code (that relies on escaping) which I am not keen to have to re-write, for free, until I really must. -Govinda -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
