> I think you can happily sanitise data where it makes sense, and use bound
> parameters elsewise. So when you expect a number, its easy to check for and
> force a sensible default. Likewise for things like dates, or names of
> articles (probably a popular need with a CMS) you can check and enfo
Govinda wrote:
>>> Ah, but what if I use sqlite or postgres?
>>
>> Or Firebird ;)
>
>good point.
>
>
>>> IMHO, the discussion needs to be a the best way to prevent SQL
>injection across
>>> all possible DB types. Not just mysql.
>>
>> The main thing to avoid is building queries from elements t
>> Ah, but what if I use sqlite or postgres?
>
> Or Firebird ;)
good point.
>> IMHO, the discussion needs to be a the best way to prevent SQL injection
>> across
>> all possible DB types. Not just mysql.
>
> The main thing to avoid is building queries from elements that are directly
> loade
Jim Lucas wrote:
Not to refute the above advice one bit (not to mention oppose the arguments
against escaping in general) ... but just curious - can anyone demo a hack
that effectively injects past mysqli_real_escape_string(), while using utf-8
? It may just be a matter of time (or already?) be
On 06/08/2012 10:31 AM, Govinda wrote:
Is it possible to have a "meeting of the minds" to come up with (an)
appropriate method(s)?
Minds, meet prepared statements :)
PDO is the way to go :D
Not to refute the above advice one bit (not to mention oppose the arguments
against escaping in
>> Is it possible to have a "meeting of the minds" to come up with (an)
>> appropriate method(s)?
> Minds, meet prepared statements :)
> PDO is the way to go :D
Not to refute the above advice one bit (not to mention oppose the arguments
against escaping in general) ... but just curious - c
-Original Message-
From: Adam Richardson [mailto:simples...@gmail.com]
Sent: Friday, June 08, 2012 11:50 AM
To: PHP-General
Subject: Re: [PHP] SQL Injection
On Fri, Jun 8, 2012 at 12:37 PM, Ethan Rosenberg
wrote:
> Is it possible to have a "meeting of the minds" to come up with (an)
> a
On Fri, Jun 8, 2012 at 12:37 PM, Ethan Rosenberg wrote:
> Is it possible to have a "meeting of the minds" to come up with (an)
> appropriate method(s)?
Minds, meet prepared statements :)
Adam
--
Nephtali: A simple, flexible, fast, and security-focused PHP framework
http://nephtaliproject.com
Dear List -
I am aware of a long email trail on this subject, but there does not
seem to be a resolution.
Is it possible to have a "meeting of the minds" to come up with (an)
appropriate method(s)?
Thanks.
Ethan Rosenberg
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe,
I was hoping for a TV
On Fri, Jun 8, 2012 at 10:19 AM, <> wrote:
> Your Order with Amazon.com
>
>Thanks for your order,
> php-db-h...@lists.php.net!Did you know you can
> view and edit your orders onlin
Stuart Dallas ha scritto:
>On 8 Jun 2012, at 00:39, Tazio Ceri wrote:
>
>> I have a PHP script that takes very long time to execute. I manage it
>using the following structure:
>>
>> ob_start();
>>
>> // some code
>> session_start();
>> // some code
>>
>> header("Content-length: ".ob_get_lengt
There are essentially 2 ways:
1. All POSTed data is present in the $_POST superglobal array. So you
could just loop over that, ignore the fields you already knew were there,
and the data remaining is then essentially the data you seek. The keys in
the $_POST array are the fieldnames you are look
12 matches
Mail list logo