Hello Lukas, > Maybe I am missing something. If you are talking about dynamic query > generation in stored routines, then I would think that people who read > the advice over dynamic query generation for PHP, that they would > hopefully also apply those practices to when they are writing/using > stored routines. Also DBA's in general are not all that fond of > dynamic query generation in stored routines. Well in a team it is quite likely that people writing PHP applications are not those writing Stored Procedures for the SQL Databases. At least all big projects I have seen have their own team for complicated SQL Queries. Additionally your statement assumes that people are reading documentation ;)
However, the good thing about the PDO documentation is that it has the warning about dynamically injected userinput in it. Many security experts (and here I speak in general not only PHP) claim that the SQL injection problem is 100% fixed by the use of prepared statements. Additionally I wonder how well prepared statements meanwhile handle queries like this (that are VERY VERY common in PHP applications) SELECT xyz FROM abc WHERE product_id IN ( 1,2,3,4,5) <- the list having dynamic lenght Stefan Esser -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
