<snip>
> The reason is security. A prepared statement cannot comprimize the
> security of our database because all sql-statements are precompiled
> in the DBMS. An example using pear:
>
> $res = & DB:connect('mysql://someuser:[EMAIL PROTECTED]/thedb');
> $sth = $res->prepare('select * from sometable where id > ?');
> $sth->execute(10);
>
> As the example demonstrates the request is hardcoded which means it
> cannot be manipulated by any user supplied input. A beneficial side
> effect is that all characters which need exscaping is automatically
> handled by the DBMS. E.g the string O'leary would not cause any
> problems.
</snip>
Huh? How does this accommodate for a dynamically generated query which
is based upon user input?
For example,
$query = 'select p.name, a.location, p.editable ';
$query .= 'from cms_pages p, cms_areas a ';
$query .= 'where p.p_id = '.$p_id.' and p.a_id = a.a_id';
In this query the value against which p_id is tested would have to be
supplied by the user and as such would not be hard coded as in your
example above.
It is validated and its type set before it is inserted into the query,
so how does what you state above deal with this?
Cheers and TIA.
Pablo
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
