Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:15599 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 95060 invoked by uid 1010); 25 Mar 2005 13:42:05 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 95045 invoked from network); 25 Mar 2005 13:42:05 -0000 Received: from unknown (HELO lasonindia.com) (127.0.0.1) by localhost with SMTP; 25 Mar 2005 13:42:05 -0000 X-Host-Fingerprint: 212.112.227.169 ipx11223.ipxserver.de Linux 2.4/2.6 Received: from ([212.112.227.169:32901] helo=ipx11223.ipxserver.de) by pb1.pair.com (ecelerity HEAD r(5268)) with SMTP id 8F/06-61605-C2514424 for ; Fri, 25 Mar 2005 08:42:05 -0500 Received: from localhost (localhost [127.0.0.1]) by ipx11223.ipxserver.de (Postfix) with ESMTP id BE02EDF015B; Fri, 25 Mar 2005 14:42:34 +0100 (CET) Received: from ipx11223.ipxserver.de ([127.0.0.1]) by localhost (ipx11223 [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 16389-07; Fri, 25 Mar 2005 14:42:32 +0100 (CET) Received: from [192.168.0.121] (i528C1530.versanet.de [82.140.21.48]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ipx11223.ipxserver.de (Postfix) with ESMTP id C18C1DF010D; Fri, 25 Mar 2005 14:42:31 +0100 (CET) Message-ID: <42441527.20301@php.net> Date: Fri, 25 Mar 2005 14:41:59 +0100 User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Jared.Williams1@ntlworld.com Cc: "'Thies C. Arntzen'" , internals@lists.php.net References: <20050325133618.EZOA1844.aamta08-winn.mailhost.ntl.com@win2ks> In-Reply-To: <20050325133618.EZOA1844.aamta08-winn.mailhost.ntl.com@win2ks> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by somedaemon at backendmedia.com Subject: Re: [PHP-DEV] pdo: binding variables supplied to execute() is NotVeryUseful(tm)... From: lsmith@php.net (Lukas Smith) Jared Williams wrote: >> $sql = "insert into $table ($col_list) values ($bind_list)"; > > > Can I just point out that you've just negated the whole reason for having parameters in the first place, imo. uhm the point of prepared queries is not to eliminate sql injection. thats just an added benefit > $table is just as vulnerable to an SQL injection attack, as any of the parameters where before we had parameter binding. you are assuming that $table has not bee sanitized, which seems quite unlikely to me that its even going to be a variable controled by user input in the first place. regards, Lukas