Am 15.06.2012 18:28, schrieb Christopher Jones:
On 06/15/2012 08:34 AM, Ulf Wendel wrote:
As long as client-side escaping is done properly, there is no
practical difference between the [client vs server -prepare]
approaches.
The big problem with this line of reasoning is that the client must
know exactly the same dialect of SQL/XQUERY/whatever that the server
does. Since we can't predict the future, and so a new DB might
Plain wrong. If client does not mess up on type and charsets there is no
practical difference between the security of properly done client side
escaping and server-side escaping. No matter if the subject of escaping
is a fairy tale on goofy or any other string that happens to look like
any other human invented format, e.g. SQL.
Ulf
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
