Re: Bind Variables and Quoting / Dequoting Input

--- Michael Fuhr <mike(at)fuhr(dot)org> wrote:

> On Mon, Dec 12, 2005 at 09:08:32AM -0800,
> operationsengineer1(at)yahoo(dot)com wrote:
> > Mike, thanks. i was getting quotes inside the
> > database "cells", which is why i had to figure out
> > what was going on. the data is inserted correctly
> > now, i just want to make sure the process is also
> a
> > safe process.
>
> Using placeholders is supposed to be safe -- that's
> part of the
> rationale for using them -- but you'd have to
> examine the implementation
> to be sure it doesn't have any vulnerabilities.
>
> I see the following in the ADOdb documentation:
>
> Currently Oracle, Interbase and ODBC supports
> variable binding.
> Interbase/ODBC style ? binding is emulated in
> databases that
> do not support binding. Note that you do not
> have to quote
> strings if you use binding.
>
> If this documentation is up to date then apparently
> the PostgreSQL
> driver does emulation. Recent versions of
> PostgreSQL (7.4 and
> later) support separation of SQL and parameters at
> the protocol
> layer but you'd have to dig into ADOdb to see if it
> uses that
> capability.

fyi, john's answer from his forum...

Yes, in adodb 4.68, if you are running php5, native
variable binding is used.

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com