[thelist] Keeping PHP forms secure
bruce
bedouglas at earthlink.net
Tue Aug 7 09:14:46 CDT 2007
hi david...
the functionality that you're talking about is a function of mysql/postgres,
ar whatever the db app is that you're using... you can do what you've
described in php as i recall...
do a search for mysql and prepare statements... i think i saw that this is
implemented...
peace..
-----Original Message-----
From: thelist-bounces at lists.evolt.org
[mailto:thelist-bounces at lists.evolt.org]On Behalf Of David Dorward
Sent: Tuesday, August 07, 2007 6:22 AM
To: thelist at lists.evolt.org
Subject: Re: [thelist] Keeping PHP forms secure
On 7 Aug 2007, at 13:12, Sales @ Lycosa wrote:
>> Regular expressions? Does PHP really lack a parameterized SQL execute
> function?!
>
> What exactly do you mean by parameterized SQL execute function?
> Could you
> give me an example?
In, for instance, Perl you would generally do something along the
lines of:
my $statement = "INSERT into Foo values(?,?,?)";
my $sth = $dbh->prepare($statement);
$sth->execute($value1, $value2, $value3);
$sth->execute($valueA, $valueB, $valueC);
The escaping of potentially dangerous characters is all handled by
standard routines which automatically change depending on the
database driver (to handle variations between types of database).
> Anything other than correct input data is either a user error, or
> malicious.
Or a design error in determining what 'correct' is in the first place.
--
David Dorward
http://dorward.me.uk/
http://blog.dorward.me.uk/
--
* * Please support the community that supports you. * *
http://evolt.org/help_support_evolt/
For unsubscribe and other options, including the Tip Harvester
and archives of thelist go to: http://lists.evolt.org
Workers of the Web, evolt !
More information about the thelist
mailing list