| From: | Dennis Gearon <gearond(at)cvc(dot)net> |
|---|---|
| To: | "Nigel J(dot) Andrews" <nandrews(at)investsystems(dot)co(dot)uk>, Greg Stark <gsstark(at)mit(dot)edu> |
| Cc: | pgsql-general(at)postgresql(dot)org, pgsql-interfaces(at)postgresql(dot)org |
| Subject: | Re: More PHP DB abstraction layer stuff |
| Date: | 2003-01-24 19:13:53 |
| Message-ID: | 2ZNYVFD2X72ONE0091WQPZXGJEC7WR.3e319071@cal-lab |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general pgsql-interfaces |
could you elaborate on:
Place holders ( those are in prepared queries, yes?)
out of band?
1/24/2003 9:22:42 AM, Greg Stark <gsstark(at)mit(dot)edu> wrote:
>
>"Nigel J. Andrews" <nandrews(at)investsystems(dot)co(dot)uk> writes:
>
>But the best way to deal with this is to use placeholders and prepared queries
>and provide the data out of band. This completely sidesteps the issue and
>guarantees you can't get it wrong by mistake ever. Mixing user-provided data
>with program code is a recipe for security holes.
>
>--
>greg
>
>
>---------------------------(end of broadcast)---------------------------
>TIP 1: subscribe and unsubscribe commands go to majordomo(at)postgresql(dot)org
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Nigel J. Andrews | 2003-01-24 19:15:52 | Re: More PHP DB abstraction layer stuff |
| Previous Message | Björn Metzdorf | 2003-01-24 18:50:55 | weird lower() problem with character |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Nigel J. Andrews | 2003-01-24 19:15:52 | Re: More PHP DB abstraction layer stuff |
| Previous Message | Greg Stark | 2003-01-24 17:22:42 | Re: More PHP DB abstraction layer stuff |