It's better than having to deal with sql at a lower level, while not as
good as proper training. Which is more likely we will see happening? I
really doubt it's the latter.
Should PHP babysit the programmer to ensure he dosen't screw up? Not
really, IMO. There's good docs available, but what beginners want is a
quick glance at the manual resulting in a quick hack - and eventually
that's what they end up doing over time, because that's what works for
them and does their job.
What might help is pushing (via the manual) for the adoption of tools
that prevent common problems, with pdo's prepared statements being one
such tool.
V
Brian Moon wrote:
Mathieu CARBONNEAUX wrote:
but i think some good security idea have been said, for exemple using
"prepare statement" to avoid sql injection...
We really need to stop spreading this myth that prepared statements
are a security measure. Prepared statements only allow passing of the
value parts of where clauses and a couple of other parts of the
query. Limit values would be the most common thing in a query that
use variables but are the not allowed to be prepared. I have also
seen plenty of applications that use variables for the table names,
field names, order by, and other parts. Prepared statements help with
none of those. Prepared statements protect very little against sql
injection. Making people believe otherwise is dangerous.
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
