Mathieu CARBONNEAUX wrote:
but i think some good security idea have been said, for exemple using "prepare statement" to avoid sql injection...
We really need to stop spreading this myth that prepared statements are a security measure. Prepared statements only allow passing of the value parts of where clauses and a couple of other parts of the query. Limit values would be the most common thing in a query that use variables but are the not allowed to be prepared. I have also seen plenty of applications that use variables for the table names, field names, order by, and other parts. Prepared statements help with none of those. Prepared statements protect very little against sql injection. Making people believe otherwise is dangerous.
-- Brian Moon ------------- http://dealnews.com/ It's good to be cheap =) -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
