On 06/16/2012 12:19 AM, Ulf Wendel wrote:
Am 15.06.2012 18:28, schrieb Christopher Jones:

On 06/15/2012 08:34 AM, Ulf Wendel wrote:
As long as client-side escaping is done properly, there is no
practical difference between the [client vs server -prepare]
approaches.

The big problem with this line of reasoning is that the client must
know exactly the same dialect of SQL/XQUERY/whatever that the server
does. Since we can't predict the future, and so a new DB might

Plain wrong. If client does not mess up on type and charsets there is no 
practical difference between the security of properly done client side escaping 
and server-side escaping. No matter if the subject of escaping is a fairy tale 
on goofy or any other
string that happens to look like any other human invented format, e.g. SQL.

Ulf


We should take this offline - I can see cases where I'd strongly disagree.

Chris

--
christopher.jo...@oracle.com
http://twitter.com/#!/ghrd

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to