--- Michael Fuhr <mike(at)fuhr(dot)org> wrote:
> On Fri, Dec 09, 2005 at 06:22:29PM -0700, Michael
> Fuhr wrote:
> > On Fri, Dec 09, 2005 at 01:54:13PM -0800,
> operationsengineer1(at)yahoo(dot)com wrote:
> > > do i need to quote input even though i'm using
> > > variables in my queries?
> > >
> > > i seem to think that quoting on entry and
> unquoting on
> > > return was a method for fighting sql injection,
> > > i'm also thinking that bind variables may make
> > > step meaningless.
> > Using placeholders should eliminate the need to
> quote, either by
> > quoting for you or by using the underlying
> protocol's mechanism for
> > parameterized queries.
> I might have misunderstood what you meant by "bind
> Could you explain exactly what you're doing?
yes... this is an adodb code snippet:
> $sql_insert = <<<_EOSQL
> INSERT INTO t_customer (customer_id, customer_name,
> VALUES (?,?,?)
> $result = $db->Execute($sql_insert,
> array($customer_id, $customer_name, $db->DBDate(time())));
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
In response to
pgsql-novice by date
|Next:||From: operationsengineer1||Date: 2005-12-12 17:08:32|
|Subject: Re: Bind Variables and Quoting / Dequoting Input|
|Previous:||From: A. Kretschmer||Date: 2005-12-12 16:47:16|
|Subject: Re: How to delete the oldest X number of rows?|