> I think you can happily sanitise data where it makes sense, and use bound 
> parameters elsewise. So when you expect a number, its easy to check for and 
> force a sensible default. Likewise for things like dates, or names of 
> articles (probably a popular need with a CMS) you can check and enforce 
> particular characters.
> Outside of that, without bound params you run a potential risk (even if only 
> slight). You can do stuff like base64 encode values, but then you lose a lot 
> of the ability to search through your DB after.

What would you say in the case of having used CodeIgniter (w/it's modified 
'Active Record Class', before PDO was an (easy/built-in) option in CodeIgniter) 
to develop an app that serves content in dozen(s) of languages through a custom 
international CMS...  and now they want "a search box" so end users can search 
all the pages (db data) of the "site" for that country (in that country's main 
language)?  IOW form input that I cannot just force/sanitize to e.g. (english) 
alphanumeric (+ spaces), and I cannot just switch to using PDO without 
rewriting all the code in all the model files.

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to