| From: | <operationsengineer1(at)yahoo(dot)com> |
|---|---|
| To: | Michael Fuhr <mike(at)fuhr(dot)org> |
| Cc: | "pgsql-novice(at)postgresql(dot)org" <pgsql-novice(at)postgresql(dot)org> |
| Subject: | Re: Bind Variables and Quoting / Dequoting Input |
| Date: | 2005-12-12 17:05:54 |
| Message-ID: | 20051212170555.20267.qmail@web33308.mail.mud.yahoo.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-novice |
--- Michael Fuhr <mike(at)fuhr(dot)org> wrote:
> On Fri, Dec 09, 2005 at 06:22:29PM -0700, Michael
> Fuhr wrote:
> > On Fri, Dec 09, 2005 at 01:54:13PM -0800,
> operationsengineer1(at)yahoo(dot)com wrote:
> > > do i need to quote input even though i'm using
> bind
> > > variables in my queries?
> > >
> > > i seem to think that quoting on entry and
> unquoting on
> > > return was a method for fighting sql injection,
> but
> > > i'm also thinking that bind variables may make
> that
> > > step meaningless.
> >
> > Using placeholders should eliminate the need to
> quote, either by
> > quoting for you or by using the underlying
> protocol's mechanism for
> > parameterized queries.
>
> I might have misunderstood what you meant by "bind
> variables."
> Could you explain exactly what you're doing?
yes... this is an adodb code snippet:
> $sql_insert = <<<_EOSQL
> INSERT INTO t_customer (customer_id, customer_name,
> customer_entry_date)
> VALUES (?,?,?)
> _EOSQL;
>
> $result = $db->Execute($sql_insert,
> array($customer_id, $customer_name, $db->DBDate(time())));
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | operationsengineer1 | 2005-12-12 17:08:32 | Re: Bind Variables and Quoting / Dequoting Input |
| Previous Message | A. Kretschmer | 2005-12-12 16:47:16 | Re: How to delete the oldest X number of rows? |