[thelist] Keeping PHP forms secure

bruce bedouglas at earthlink.net
Tue Aug 7 09:14:46 CDT 2007

hi david...

the functionality that you're talking about is a function of mysql/postgres,
ar whatever the db app is that you're using... you can do what you've
described in php as i recall...

do a search for mysql and prepare statements... i think i saw that this is


-----Original Message-----
From: thelist-bounces at lists.evolt.org
[mailto:thelist-bounces at lists.evolt.org]On Behalf Of David Dorward
Sent: Tuesday, August 07, 2007 6:22 AM
To: thelist at lists.evolt.org
Subject: Re: [thelist] Keeping PHP forms secure

On 7 Aug 2007, at 13:12, Sales @ Lycosa wrote:

>> Regular expressions? Does PHP really lack a parameterized SQL execute
> function?!
> What exactly do you mean by parameterized SQL execute function?
> Could you
> give me an example?

In, for instance, Perl you would generally do something along the
lines of:

my $statement = "INSERT into Foo values(?,?,?)";
my $sth = $dbh->prepare($statement);
$sth->execute($value1, $value2, $value3);
$sth->execute($valueA, $valueB, $valueC);

The escaping of potentially dangerous characters is all handled by
standard routines which automatically change depending on the
database driver (to handle variations between types of database).

> Anything other than correct input data is either a user error, or
> malicious.

Or a design error in determining what 'correct' is in the first place.

David Dorward


* * Please support the community that supports you.  * *

For unsubscribe and other options, including the Tip Harvester
and archives of thelist go to: http://lists.evolt.org
Workers of the Web, evolt !

More information about the thelist mailing list