[thelist] Keeping PHP forms secure

David Dorward david at dorward.me.uk
Tue Aug 7 08:21:59 CDT 2007

On 7 Aug 2007, at 13:12, Sales @ Lycosa wrote:

>> Regular expressions? Does PHP really lack a parameterized SQL execute
> function?!
> What exactly do you mean by parameterized SQL execute function?  
> Could you
> give me an example?

In, for instance, Perl you would generally do something along the  
lines of:

my $statement = "INSERT into Foo values(?,?,?)";
my $sth = $dbh->prepare($statement);
$sth->execute($value1, $value2, $value3);
$sth->execute($valueA, $valueB, $valueC);

The escaping of potentially dangerous characters is all handled by  
standard routines which automatically change depending on the  
database driver (to handle variations between types of database).

> Anything other than correct input data is either a user error, or  
> malicious.

Or a design error in determining what 'correct' is in the first place.

David Dorward

More information about the thelist mailing list