On 07/10/2011 05:46, Govinda wrote:
Hi everyone
I have read many many articles and blog posts in the last few days to bolster my (still mostly
newbie) understanding of the factors that play in to preventing various methods of SQL injection
prevention.. and by now I am well aware that most
On Fri, Oct 07, 2011 at 12:46:52AM -0400, Govinda wrote:
http://stut.net/2011/09/15/mysql-real-escape-string-is-not-enough/
Hi everyone
I have read many many articles and blog posts in the last few days to
bolster my (still mostly newbie) understanding of the factors that
play in to
There is more to SQL injection than getting the quoting correct. In my
understanding, prepared statements handles the other problems associated
with queries and SQL injection beyond just quoting. Here's a good
tutorial on how this works:
http://www.youtube.com/watch?v=bORZlmyDw0s
Paul,
http://stut.net/2011/09/15/mysql-real-escape-string-is-not-enough/
Hi everyone
I have read many many articles and blog posts in the last few days to bolster
my (still mostly newbie) understanding of the factors that play in to
preventing various methods of SQL injection prevention.. and by
On Tue, Oct 4, 2011 at 8:01 PM, Jeremiah Dodds jeremiah.do...@gmail.comwrote:
On Tue, Oct 4, 2011 at 9:25 PM, Tommy Pham tommy...@gmail.com wrote:
There would be a difference in performance since the the expression has
to
be reevaluated, including the function FROM_BASE, every time versus
Hi.
On Wednesday 05 Oct 2011 at 00:04 Mark Kelly wrote:
I'd be interested in any ideas folk have about these issues, or any others
they can envisage with this proposal.
Thank you all for joining in here - it's been a fascinating read so far.
Mark
--
PHP General Mailing List
On 10/04/2011 02:23 PM, Jim Giner wrote:
I thought I knew how to do this.
I have a form that collects some data fields. My script checks if magic
quotes are off and (since they are) executes addslashes on each input
field. Then I run a query to INSERT these 'slashed' vars into the
On 4 Oct 2011, at 20:30, Shawn McKenzie wrote:
On 10/04/2011 02:23 PM, Jim Giner wrote:
I thought I knew how to do this.
I have a form that collects some data fields. My script checks if magic
quotes are off and (since they are) executes addslashes on each input
field. Then I run a
Hi.
On Tuesday 04 Oct 2011 at 21:39 Stuart Dallas wrote:
http://stut.net/2011/09/15/mysql-real-escape-string-is-not-enough/
Thanks. I followed this link through and read the full message (having missed
it the first time round), and while I find the idea of using base64 to
sanitise text
On 5 Oct 2011, at 00:04, Mark Kelly wrote:
Hi.
On Tuesday 04 Oct 2011 at 21:39 Stuart Dallas wrote:
http://stut.net/2011/09/15/mysql-real-escape-string-is-not-enough/
Thanks. I followed this link through and read the full message (having missed
it the first time round), and while I
On Tue, Oct 4, 2011 at 4:11 PM, Stuart Dallas stu...@3ft9.com wrote:
On 5 Oct 2011, at 00:04, Mark Kelly wrote:
Hi.
On Tuesday 04 Oct 2011 at 21:39 Stuart Dallas wrote:
http://stut.net/2011/09/15/mysql-real-escape-string-is-not-enough/
Thanks. I followed this link through and read
On 5 Oct 2011, at 00:45, Tommy Pham wrote:
On Tue, Oct 4, 2011 at 4:11 PM, Stuart Dallas stu...@3ft9.com wrote:
On 5 Oct 2011, at 00:04, Mark Kelly wrote:
Hi.
On Tuesday 04 Oct 2011 at 21:39 Stuart Dallas wrote:
http://stut.net/2011/09/15/mysql-real-escape-string-is-not-enough/
On Tue, Oct 4, 2011 at 4:49 PM, Stuart Dallas stu...@3ft9.com wrote:
On 5 Oct 2011, at 00:45, Tommy Pham wrote:
On Tue, Oct 4, 2011 at 4:11 PM, Stuart Dallas stu...@3ft9.com wrote:
On 5 Oct 2011, at 00:04, Mark Kelly wrote:
Hi.
On Tuesday 04 Oct 2011 at 21:39 Stuart Dallas wrote:
On 5 Oct 2011, at 01:13, Tommy Pham wrote:
On Tue, Oct 4, 2011 at 4:49 PM, Stuart Dallas stu...@3ft9.com wrote:
On 5 Oct 2011, at 00:45, Tommy Pham wrote:
On Tue, Oct 4, 2011 at 4:11 PM, Stuart Dallas stu...@3ft9.com wrote:
On 5 Oct 2011, at 00:04, Mark Kelly wrote:
Hi.
On Tuesday
On Tue, Oct 4, 2011 at 5:51 PM, Stuart Dallas stu...@3ft9.com wrote:
On 5 Oct 2011, at 01:13, Tommy Pham wrote:
On Tue, Oct 4, 2011 at 4:49 PM, Stuart Dallas stu...@3ft9.com wrote:
On 5 Oct 2011, at 00:45, Tommy Pham wrote:
On Tue, Oct 4, 2011 at 4:11 PM, Stuart Dallas stu...@3ft9.com
On Tue, Oct 4, 2011 at 7:51 PM, Stuart Dallas stu...@3ft9.com wrote:
As for the overhead I very much doubt there's much difference between that
and the overhead of prepared statements.
Probably not. As an aside, I'm really struggling to find a case where
it'd be worth base64-encoding the
On 5 Oct 2011, at 02:02, Tommy Pham wrote:
On Tue, Oct 4, 2011 at 5:51 PM, Stuart Dallas stu...@3ft9.com wrote:
On 5 Oct 2011, at 01:13, Tommy Pham wrote:
On Tue, Oct 4, 2011 at 4:49 PM, Stuart Dallas stu...@3ft9.com wrote:
On 5 Oct 2011, at 00:45, Tommy Pham wrote:
On Tue, Oct 4,
On Tue, Oct 4, 2011 at 6:07 PM, Jeremiah Dodds jeremiah.do...@gmail.comwrote:
On Tue, Oct 4, 2011 at 7:51 PM, Stuart Dallas stu...@3ft9.com wrote:
As for the overhead I very much doubt there's much difference between
that and the overhead of prepared statements.
Probably not. As an aside,
On 5 Oct 2011, at 02:07, Jeremiah Dodds wrote:
On Tue, Oct 4, 2011 at 7:51 PM, Stuart Dallas stu...@3ft9.com wrote:
As for the overhead I very much doubt there's much difference between that
and the overhead of prepared statements.
Probably not. As an aside, I'm really struggling to find a
On Tue, Oct 4, 2011 at 8:15 PM, Tommy Pham tommy...@gmail.com wrote:
On Tue, Oct 4, 2011 at 6:07 PM, Jeremiah Dodds jeremiah.do...@gmail.com
wrote:
On Tue, Oct 4, 2011 at 7:51 PM, Stuart Dallas stu...@3ft9.com wrote:
As for the overhead I very much doubt there's much difference between
On 5 Oct 2011, at 02:16, Jeremiah Dodds wrote:
On Tue, Oct 4, 2011 at 8:10 PM, Stuart Dallas stu...@3ft9.com wrote:
Prepared statements incur an additional hit against the DB server to prepare
the statement.
But only once, right? This could, of course, still be a downside
depending the
On Tue, Oct 4, 2011 at 6:10 PM, Stuart Dallas stu...@3ft9.com wrote:
On 5 Oct 2011, at 02:02, Tommy Pham wrote:
On Tue, Oct 4, 2011 at 5:51 PM, Stuart Dallas stu...@3ft9.com wrote:
On 5 Oct 2011, at 01:13, Tommy Pham wrote:
On Tue, Oct 4, 2011 at 4:49 PM, Stuart Dallas stu...@3ft9.com
On Tue, Oct 4, 2011 at 9:25 PM, Tommy Pham tommy...@gmail.com wrote:
There would be a difference in performance since the the expression has to
be reevaluated, including the function FROM_BASE, every time versus one time
evaluation of prepared statement.
This is true, but it should be pointed
23 matches
Mail list logo