Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:27425
Return-Path: <mls@pooteeweet.org>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 36284 invoked by uid 1010); 13 Jan 2007 16:07:29 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 36269 invoked from network); 13 Jan 2007 16:07:29 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 13 Jan 2007 16:07:29 -0000
Authentication-Results: pb1.pair.com header.from=mls@pooteeweet.org; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=mls@pooteeweet.org; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain pooteeweet.org from 212.112.227.169 cause and error)
X-PHP-List-Original-Sender: mls@pooteeweet.org
X-Host-Fingerprint: 212.112.227.169 ipx11223.ipxserver.de Linux 2.5 (sometimes 2.4) (4)
Received: from [212.112.227.169] ([212.112.227.169:34989] helo=ipx11223.ipxserver.de)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 34/23-14818-1C309A54 for <internals@lists.php.net>; Sat, 13 Jan 2007 11:07:29 -0500
Received: from localhost (localhost [127.0.0.1])
	by ipx11223.ipxserver.de (Postfix) with ESMTP
	id AF4D4DF00FF; Sat, 13 Jan 2007 17:07:26 +0100 (CET)
Received: from ipx11223.ipxserver.de ([127.0.0.1])
 by localhost (flottensignalgeber [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 29990-05; Sat, 13 Jan 2007 17:07:24 +0100 (CET)
Received: from [127.0.0.1] (13.83.76.83.cust.bluewin.ch [83.76.83.13])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by ipx11223.ipxserver.de (Postfix) with ESMTP
	id 3DC8ADF00F1; Sat, 13 Jan 2007 17:07:24 +0100 (CET)
Message-ID: <45A903BC.6020606@pooteeweet.org>
Date: Sat, 13 Jan 2007 17:07:24 +0100
User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
MIME-Version: 1.0
To: Stefan Esser <sesser@hardened-php.net>
Cc: info@ch2o.info,
	"internals@lists.php.net" <internals@lists.php.net>
References: <F1076B95-2D05-4690-AE84-21FC0552F17A@ch2o.info> <45A8FC49.7050909@hardened-php.net> <45A8FF84.7000305@pooteeweet.org> <45A90249.7070802@hardened-php.net>
In-Reply-To: <45A90249.7070802@hardened-php.net>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: by somedaemon at backendmedia.com
Subject: Re: [PHP-DEV] Comments on PHP security
From: mls@pooteeweet.org (Lukas Kahwe Smith)

Stefan Esser wrote:

> SELECT xyz FROM abc WHERE product_id IN ( 1,2,3,4,5)  <- the list having
> dynamic lenght

They have worked in PEAR::DB and some other DBAL's, as a result a lot of 
people have come to think of prepared statements as a sprintf() replacement.

By the nature of prepared statements they only work with single 
literals, which a list of values isnt.

regards,
Lukas