Skip site navigation (1) Skip section navigation (2)

Re: More PHP DB abstraction layer stuff

From: "Nigel J(dot) Andrews" <nandrews(at)investsystems(dot)co(dot)uk>
To: Dennis Gearon <gearond(at)cvc(dot)net>
Cc: Greg Stark <gsstark(at)mit(dot)edu>, pgsql-general(at)postgresql(dot)org,pgsql-interfaces(at)postgresql(dot)org
Subject: Re: More PHP DB abstraction layer stuff
Date: 2003-01-24 19:15:52
Message-ID: Pine.LNX.4.21.0301241914020.28504-100000@ponder.fairway2k.co.uk (view raw or flat)
Thread:
Lists: pgsql-generalpgsql-interfaces

On Fri, 24 Jan 2003, Dennis Gearon wrote:

> could you elaborate on:
> 
> 	Place holders ( those are in prepared queries, yes?)
> 	out of band?
> 
> 1/24/2003 9:22:42 AM, Greg Stark <gsstark(at)mit(dot)edu> wrote:
> 
> >
> >But the best way to deal with this is to use placeholders and prepared queries
> >and provide the data out of band. This completely sidesteps the issue and
> >guarantees you can't get it wrong by mistake ever. Mixing user-provided data
> >with program code is a recipe for security holes.

In perl with DBI:

$sth = $dbh->prepare("SELECT * FROM mytable WHERE id = ?");
$sth->execute($idvalue);

I didn't even know it was possible in PHP. I've never used it before.


-- 
Nigel J. Andrews




In response to

Responses

pgsql-interfaces by date

Next:From: Greg StarkDate: 2003-01-24 19:41:37
Subject: Re: More PHP DB abstraction layer stuff
Previous:From: Dennis GearonDate: 2003-01-24 19:13:53
Subject: Re: More PHP DB abstraction layer stuff

pgsql-general by date

Next:From: will trillichDate: 2003-01-24 19:36:13
Subject: Re: I was spoiled by the MySQL timestamp field
Previous:From: Dennis GearonDate: 2003-01-24 19:13:53
Subject: Re: More PHP DB abstraction layer stuff

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group