On 11/05/2007 08:34 PM, Michael Southwell wrote:
> One last question: when affected_rows returns -1 (according to the docs)
> it "indicates that the query returned an error." My example demonstrates
> this by throwing an exception here:
> if ( $demo -> affected_rows == -1 ) throw new Exception (
I think the best example of how to make prepared statements fail is to
try something like this:
SELECT name FROM wines WHERE ?='red';
This will result in an error. If you think about what is going on
behind the scenes, it should be clear why.
Regards,
John Campbell
__
Michael Southwell wrote:
> I have a mysqli script which works perfectly except when I try to force
> an exception
> by using a test attacking parameter. I can't get an exception thrown
> even though I also
> don't get any output. The docs say the prepared statement must be a
> single statement, and
Hi everyone,
I've been lurking since March and have decided that it's time to at least
introduce myself.
I've been coding HTML since 1997 (self-taught) and worked for a webdev
company during the latter part of dotcom boom. I got interested in graphic
design, so after everything went bust I switc
Flavio daCosta wrote:
This is a perfect example of why prepared statements are so much better
for SQL injection avoidance than straight SQL calls.
Exactly why I'm working on understanding the mechanism behind it, so I
can explain it rather than just demonstrating it.
One last question: whe
On 11/05/2007 06:14 PM, Michael Southwell wrote:
> aha, so 'SELECT name FROM wines WHERE color = "red";DELETE FROM wines'
> is two statements in mysql (failing with msyql_query) but one in mysqli?!?!
Correct, mysql_query() processes a string: 'SELECT name FROM wines WHERE
color = "red";DELETE FROM
Flavio daCosta wrote:
On 11/05/2007 05:16 PM, Michael Southwell wrote:
/snip
The docs say the prepared statement must be a
single statement, and of course
this is not. But why don't I get an exception here?
Your /prepare/d statement is a single statement.
aha, so 'SELECT name FROM wines WHER
BDD is just too cool (and productive) to ignore :-)
http://code.google.com/p/phpspec/
No downloads yet except w/ what is in trunk ...
svn checkout http://phpspec.googlecode.com/svn/trunk/phpspec
Hope it picks up some traction + someone can present sometime ...
- Jon
__
On 11/05/2007 05:16 PM, Michael Southwell wrote:
/snip
> The docs say the prepared statement must be a
> single statement, and of course
> this is not. But why don't I get an exception here?
Your /prepare/d statement is a single statement. You have bound
'red;DELETE FROM wines' to your parameter,
I have a mysqli script which works perfectly except when I try to force
an exception
by using a test attacking parameter. I can't get an exception thrown
even though I also
don't get any output. The docs say the prepared statement must be a
single statement, and of course
this is not. But why d
10 matches
Mail list logo
