On 9/26/07, John Campbell <[EMAIL PROTECTED]> wrote:
> > My personal favorite:
> > public function esc( $value ) {
> > return mysql_real_escape_string( $value, $this->db );
> > }
>
> If that is your personal favorite, you are justifying the the article.
> All you have to do is forget to use single quotes once and your site
> is vulnerable. Step up and start using prepared queries.
Hmm, yeah I probably should, now that everything is php5.
I need to create SQL snippets that get embedded in multiple and
modular queries, like "obj.priority > 99 AND obj.title='Foo' "... is
there a way to "pre-prepare" that? Or will I need to pass an object
around with the statement "obj.priority > ? AND obj.title=?" and the
two values as properties?
--
Chris Snyder
http://chxo.com/
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
