Thanks, everybody. I knew preparing worked; I was trying to find out
what PHP could tell me about how it worked. I think I have it now: We
don't need to worry about injection with a prepared query because
(thanks to the preparation) that query is not parsed as if it were an
instruction.
--
==
On 11/05/2007 08:34 PM, Michael Southwell wrote:
> One last question: when affected_rows returns -1 (according to the docs)
> it "indicates that the query returned an error." My example demonstrates
> this by throwing an exception here:
> if ( $demo -> affected_rows == -1 ) throw new Exception (
I think the best example of how to make prepared statements fail is to
try something like this:
SELECT name FROM wines WHERE ?='red';
This will result in an error. If you think about what is going on
behind the scenes, it should be clear why.
Regards,
John Campbell
__
Michael Southwell wrote:
> I have a mysqli script which works perfectly except when I try to force
> an exception
> by using a test attacking parameter. I can't get an exception thrown
> even though I also
> don't get any output. The docs say the prepared statement must be a
> single statement, and
Flavio daCosta wrote:
This is a perfect example of why prepared statements are so much better
for SQL injection avoidance than straight SQL calls.
Exactly why I'm working on understanding the mechanism behind it, so I
can explain it rather than just demonstrating it.
One last question: whe
On 11/05/2007 06:14 PM, Michael Southwell wrote:
> aha, so 'SELECT name FROM wines WHERE color = "red";DELETE FROM wines'
> is two statements in mysql (failing with msyql_query) but one in mysqli?!?!
Correct, mysql_query() processes a string: 'SELECT name FROM wines WHERE
color = "red";DELETE FROM
Flavio daCosta wrote:
On 11/05/2007 05:16 PM, Michael Southwell wrote:
/snip
The docs say the prepared statement must be a
single statement, and of course
this is not. But why don't I get an exception here?
Your /prepare/d statement is a single statement.
aha, so 'SELECT name FROM wines WHER
On 11/05/2007 05:16 PM, Michael Southwell wrote:
/snip
> The docs say the prepared statement must be a
> single statement, and of course
> this is not. But why don't I get an exception here?
Your /prepare/d statement is a single statement. You have bound
'red;DELETE FROM wines' to your parameter,
I have a mysqli script which works perfectly except when I try to force
an exception
by using a test attacking parameter. I can't get an exception thrown
even though I also
don't get any output. The docs say the prepared statement must be a
single statement, and of course
this is not. But why d
