On Fri, 29 Oct 2004 00:29:24 +0800, Andy Sy <[EMAIL PROTECTED]> wrote: > The simplest and most foolproof way to prevent SQL injection is > to just remember to quote every single GET/POST variable you put > in an SQL query. You can't inject any SQL if you can't inject > quotes in the GET/POST variable. In PHP, just do:
How about preparing your statements as constant strings, then setting the appropriate variables through the driver? As in Perl/DBI and Java/JDBC. -- Philippine Linux Users' Group (PLUG) Mailing List [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph) Official Website: http://plug.linux.org.ph Searchable Archives: http://marc.free.net.ph . To leave, go to http://lists.q-linux.com/mailman/listinfo/plug . Are you a Linux newbie? To join the newbie list, go to http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
