>>
> There is more to SQL injection than getting the quoting correct. In my
> understanding, prepared statements handles the other problems associated
> with queries and SQL injection beyond just quoting. Here's a good
> tutorial on how this works:
>
> http://www.youtube.com/watch?v=bORZlmyDw0s
On Fri, Oct 07, 2011 at 12:46:52AM -0400, Govinda wrote:
> http://stut.net/2011/09/15/mysql-real-escape-string-is-not-enough/
>
> Hi everyone
>
> I have read many many articles and blog posts in the last few days to
> bolster my (still mostly newbie) understanding of the factors that
> play
On 07/10/2011 05:46, Govinda wrote:
Hi everyone
I have read many many articles and blog posts in the last few days to bolster my (still mostly
newbie) understanding of the factors that play in to preventing various methods of SQL injection
prevention.. and by now I am well aware that most eve
http://stut.net/2011/09/15/mysql-real-escape-string-is-not-enough/
Hi everyone
I have read many many articles and blog posts in the last few days to bolster
my (still mostly newbie) understanding of the factors that play in to
preventing various methods of SQL injection prevention.. and by
Hi.
On Wednesday 05 Oct 2011 at 00:04 Mark Kelly wrote:
> I'd be interested in any ideas folk have about these issues, or any others
> they can envisage with this proposal.
Thank you all for joining in here - it's been a fascinating read so far.
Mark
--
PHP General Mailing List (http://www.ph
On Tue, Oct 4, 2011 at 8:01 PM, Jeremiah Dodds wrote:
> On Tue, Oct 4, 2011 at 9:25 PM, Tommy Pham wrote:
> > There would be a difference in performance since the the expression has
> to
> > be reevaluated, including the function FROM_BASE, every time versus one
> time
> > evaluation of prepared
On Tue, Oct 4, 2011 at 9:25 PM, Tommy Pham wrote:
> There would be a difference in performance since the the expression has to
> be reevaluated, including the function FROM_BASE, every time versus one time
> evaluation of prepared statement.
This is true, but it should be pointed out that for a l
On Tue, Oct 4, 2011 at 6:10 PM, Stuart Dallas wrote:
>
> On 5 Oct 2011, at 02:02, Tommy Pham wrote:
>
> On Tue, Oct 4, 2011 at 5:51 PM, Stuart Dallas wrote:
>
>> On 5 Oct 2011, at 01:13, Tommy Pham wrote:
>>
>> On Tue, Oct 4, 2011 at 4:49 PM, Stuart Dallas wrote:
>>
>>>
>>> On 5 Oct 2011, at 00
On 5 Oct 2011, at 02:16, Jeremiah Dodds wrote:
> On Tue, Oct 4, 2011 at 8:10 PM, Stuart Dallas wrote:
>> Prepared statements incur an additional hit against the DB server to prepare
>> the statement.
>
> But only once, right? This could, of course, still be a downside
> depending the nature of
On Tue, Oct 4, 2011 at 8:15 PM, Tommy Pham wrote:
> On Tue, Oct 4, 2011 at 6:07 PM, Jeremiah Dodds
> wrote:
>>
>> On Tue, Oct 4, 2011 at 7:51 PM, Stuart Dallas wrote:
>> > As for the overhead I very much doubt there's much difference between
>> > that and the overhead of prepared statements.
>>
On 5 Oct 2011, at 02:07, Jeremiah Dodds wrote:
> On Tue, Oct 4, 2011 at 7:51 PM, Stuart Dallas wrote:
>> As for the overhead I very much doubt there's much difference between that
>> and the overhead of prepared statements.
>
> Probably not. As an aside, I'm really struggling to find a case whe
On Tue, Oct 4, 2011 at 8:10 PM, Stuart Dallas wrote:
> Prepared statements incur an additional hit against the DB server to prepare
> the statement.
But only once, right? This could, of course, still be a downside
depending the nature of your app.
--
PHP General Mailing List (http://www.php.ne
On Tue, Oct 4, 2011 at 6:07 PM, Jeremiah Dodds wrote:
> On Tue, Oct 4, 2011 at 7:51 PM, Stuart Dallas wrote:
> > As for the overhead I very much doubt there's much difference between
> that and the overhead of prepared statements.
>
> Probably not. As an aside, I'm really struggling to find a ca
On 5 Oct 2011, at 02:02, Tommy Pham wrote:
> On Tue, Oct 4, 2011 at 5:51 PM, Stuart Dallas wrote:
> On 5 Oct 2011, at 01:13, Tommy Pham wrote:
>
>> On Tue, Oct 4, 2011 at 4:49 PM, Stuart Dallas wrote:
>>
>> On 5 Oct 2011, at 00:45, Tommy Pham wrote:
>>
>>> On Tue, Oct 4, 2011 at 4:11 PM, Stu
On Tue, Oct 4, 2011 at 7:51 PM, Stuart Dallas wrote:
> As for the overhead I very much doubt there's much difference between that
> and the overhead of prepared statements.
Probably not. As an aside, I'm really struggling to find a case where
it'd be worth base64-encoding the queries like that
On Tue, Oct 4, 2011 at 5:51 PM, Stuart Dallas wrote:
> On 5 Oct 2011, at 01:13, Tommy Pham wrote:
>
> On Tue, Oct 4, 2011 at 4:49 PM, Stuart Dallas wrote:
>
>>
>> On 5 Oct 2011, at 00:45, Tommy Pham wrote:
>>
>> On Tue, Oct 4, 2011 at 4:11 PM, Stuart Dallas wrote:
>>
>>> On 5 Oct 2011, at 00:04
On 5 Oct 2011, at 01:13, Tommy Pham wrote:
> On Tue, Oct 4, 2011 at 4:49 PM, Stuart Dallas wrote:
>
> On 5 Oct 2011, at 00:45, Tommy Pham wrote:
>
>> On Tue, Oct 4, 2011 at 4:11 PM, Stuart Dallas wrote:
>> On 5 Oct 2011, at 00:04, Mark Kelly wrote:
>>
>> > Hi.
>> >
>> > On Tuesday 04 Oct 2011
On Tue, Oct 4, 2011 at 4:49 PM, Stuart Dallas wrote:
>
> On 5 Oct 2011, at 00:45, Tommy Pham wrote:
>
> On Tue, Oct 4, 2011 at 4:11 PM, Stuart Dallas wrote:
>
>> On 5 Oct 2011, at 00:04, Mark Kelly wrote:
>>
>> > Hi.
>> >
>> > On Tuesday 04 Oct 2011 at 21:39 Stuart Dallas wrote:
>> >
>> >> http:
On 5 Oct 2011, at 00:45, Tommy Pham wrote:
> On Tue, Oct 4, 2011 at 4:11 PM, Stuart Dallas wrote:
> On 5 Oct 2011, at 00:04, Mark Kelly wrote:
>
> > Hi.
> >
> > On Tuesday 04 Oct 2011 at 21:39 Stuart Dallas wrote:
> >
> >> http://stut.net/2011/09/15/mysql-real-escape-string-is-not-enough/
> >
>
On Tue, Oct 4, 2011 at 4:11 PM, Stuart Dallas wrote:
> On 5 Oct 2011, at 00:04, Mark Kelly wrote:
>
> > Hi.
> >
> > On Tuesday 04 Oct 2011 at 21:39 Stuart Dallas wrote:
> >
> >> http://stut.net/2011/09/15/mysql-real-escape-string-is-not-enough/
> >
> > Thanks. I followed this link through and rea
On 5 Oct 2011, at 00:04, Mark Kelly wrote:
> Hi.
>
> On Tuesday 04 Oct 2011 at 21:39 Stuart Dallas wrote:
>
>> http://stut.net/2011/09/15/mysql-real-escape-string-is-not-enough/
>
> Thanks. I followed this link through and read the full message (having missed
> it the first time round), and wh
Hi.
On Tuesday 04 Oct 2011 at 21:39 Stuart Dallas wrote:
> http://stut.net/2011/09/15/mysql-real-escape-string-is-not-enough/
Thanks. I followed this link through and read the full message (having missed
it the first time round), and while I find the idea of using base64 to
sanitise text inter
On 4 Oct 2011, at 20:30, Shawn McKenzie wrote:
> On 10/04/2011 02:23 PM, Jim Giner wrote:
>> I thought I knew how to do this.
>>
>> I have a form that collects some data fields. My script checks if magic
>> quotes are off and (since they are) executes "addslashes" on each input
>> field. Then
On 10/04/2011 02:23 PM, Jim Giner wrote:
> I thought I knew how to do this.
>
> I have a form that collects some data fields. My script checks if magic
> quotes are off and (since they are) executes "addslashes" on each input
> field. Then I run a query to INSERT these 'slashed' vars into the
24 matches
Mail list logo
