[thelist] Re: Avoiding SQL Injection
Robert Gormley
robert at pennyonthesidewalk.com
Mon Mar 21 21:42:05 CST 2005
Ken Schaefer wrote:
>Use prepared statements. JDBC has stuff for this. ADO has stuff for this.
>ADO.NET as well. I don't know what PHP uses to connect to mySQL, but
>magic_quotes and is_int are not sufficient safeguards against every time to
>attack if you are building SQL inline in your PHP code.
>
>
Agreed. For reference, prepared statements are available in the mysqli
extension for PHP 5. (IIRC, you may also need MySQL 4.1)...
Robert
More information about the thelist
mailing list