> I think you misunderstood me. I already have a
> function that works great. What I don't understand is how to get PHP
> use place holders for data binding. This is more generic database
issue. I
> could have also written:
> "INSERT INTO foo (a,b) VALUES (?,?)"
> where again, the values are passed separately and are *not*
> into the query. That's the point - not interpolating your values to
> protect against insertion attack.

I'm sure you are already doing this, but enough can't be said for
validation. Make sure what you think is a number really is, and that a
string is properly quoted...then this won't be a problem.

---John Holmes... 

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to