[thelist] Keeping PHP forms secure

David Dorward david at dorward.me.uk
Tue Aug 7 08:21:59 CDT 2007


On 7 Aug 2007, at 13:12, Sales @ Lycosa wrote:

>> Regular expressions? Does PHP really lack a parameterized SQL execute
> function?!
>
> What exactly do you mean by parameterized SQL execute function?  
> Could you
> give me an example?

In, for instance, Perl you would generally do something along the  
lines of:

my $statement = "INSERT into Foo values(?,?,?)";
my $sth = $dbh->prepare($statement);
$sth->execute($value1, $value2, $value3);
$sth->execute($valueA, $valueB, $valueC);

The escaping of potentially dangerous characters is all handled by  
standard routines which automatically change depending on the  
database driver (to handle variations between types of database).

> Anything other than correct input data is either a user error, or  
> malicious.

Or a design error in determining what 'correct' is in the first place.


-- 
David Dorward
http://dorward.me.uk/
http://blog.dorward.me.uk/





More information about the thelist mailing list