hi david... the functionality that you're talking about is a function of mysql/postgres, ar whatever the db app is that you're using... you can do what you've described in php as i recall... do a search for mysql and prepare statements... i think i saw that this is implemented... peace.. -----Original Message----- From: thelist-bounces at lists.evolt.org [mailto:thelist-bounces at lists.evolt.org]On Behalf Of David Dorward Sent: Tuesday, August 07, 2007 6:22 AM To: thelist at lists.evolt.org Subject: Re: [thelist] Keeping PHP forms secure On 7 Aug 2007, at 13:12, Sales @ Lycosa wrote: >> Regular expressions? Does PHP really lack a parameterized SQL execute > function?! > > What exactly do you mean by parameterized SQL execute function? > Could you > give me an example? In, for instance, Perl you would generally do something along the lines of: my $statement = "INSERT into Foo values(?,?,?)"; my $sth = $dbh->prepare($statement); $sth->execute($value1, $value2, $value3); $sth->execute($valueA, $valueB, $valueC); The escaping of potentially dangerous characters is all handled by standard routines which automatically change depending on the database driver (to handle variations between types of database). > Anything other than correct input data is either a user error, or > malicious. Or a design error in determining what 'correct' is in the first place. -- David Dorward http://dorward.me.uk/ http://blog.dorward.me.uk/ -- * * Please support the community that supports you. * * http://evolt.org/help_support_evolt/ For unsubscribe and other options, including the Tip Harvester and archives of thelist go to: http://lists.evolt.org Workers of the Web, evolt !