Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:59736
Return-Path: <ralph@ralphschindler.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 63849 invoked from network); 11 Apr 2012 15:47:02 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 11 Apr 2012 15:47:02 -0000
Authentication-Results: pb1.pair.com smtp.mail=ralph@ralphschindler.com; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=ralph@ralphschindler.com; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain ralphschindler.com from 209.85.161.170 cause and error)
X-PHP-List-Original-Sender: ralph@ralphschindler.com
X-Host-Fingerprint: 209.85.161.170 mail-gx0-f170.google.com  
Received: from [209.85.161.170] ([209.85.161.170:53671] helo=mail-gx0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id E7/74-36454-577A58F4 for <internals@lists.php.net>; Wed, 11 Apr 2012 11:47:02 -0400
Received: by ggmb2 with SMTP id b2so598476ggm.29
        for <internals@lists.php.net>; Wed, 11 Apr 2012 08:46:59 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20120113;
        h=message-id:date:from:user-agent:mime-version:to:subject:references
         :in-reply-to:content-type:content-transfer-encoding
         :x-gm-message-state;
        bh=jMyEpyPFk99RyvUaIeTCx8qmPzV6gwk8jftS0pRpIi0=;
        b=D2q4UAt6gbWBPLQNYQZqdFGs/xzATrVEEj7PdyZn3Grx1jX4ZJVouvrle8A7OGSUFI
         AG6IcVmW5EdkAp/lxu1WwGYLzdf9CDz8pu8RSiY84SPe79sN/QB9+ifDYrHVQOE0BZbq
         yG+nBlnV4e8od2NHk++R//Ymp4bfp60BUKnwo23JKOqIGdWgi4BoUWHC+rAu2Wh4aUFR
         pkU2AZ1RjpoM6ytEIeDby4uLb5xdE5L6tUD+gSePDuZFX3jskcQ8ieqD1fVGFNNlxBYt
         9WB6w83SeP7I7uA9sUR68yo8GiWz892Y5SRF5V6Cc2SWbPrjtdeiFxNSctXKbeaQvV5b
         EvXg==
Received: by 10.60.20.231 with SMTP id q7mr23415981oee.63.1334159219345;
        Wed, 11 Apr 2012 08:46:59 -0700 (PDT)
Received: from ralph-mac.local (ip174-73-14-247.no.no.cox.net. [174.73.14.247])
        by mx.google.com with ESMTPS id h7sm2578825oeh.9.2012.04.11.08.46.58
        (version=SSLv3 cipher=OTHER);
        Wed, 11 Apr 2012 08:46:58 -0700 (PDT)
Message-ID: <4F85A771.1070005@ralphschindler.com>
Date: Wed, 11 Apr 2012 10:46:57 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:11.0) Gecko/20120327 Thunderbird/11.0.1
MIME-Version: 1.0
To: internals@lists.php.net
References: <CAPmfwEnMypV6DFRnRsnCvj+KQk1JG54TX3r1DNHQO3QQ0f+hjA@mail.gmail.com> <CAGa2bXZ6_rjZoYX1nbRx--EJS1rBouo+0bB3o3xjQT9W+VZy_w@mail.gmail.com> <4F8540E8.6050503@lsces.co.uk>
In-Reply-To: <4F8540E8.6050503@lsces.co.uk>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Gm-Message-State: ALoCoQmZG7OE9fk5RccSW1W+SaIXP/9n5GRo0cn6WYJ3sgARmPKpn2Y/Go5iY/WPc8+uKyoW2j7A
Subject: Re: [PHP-DEV] [off] PHP: a fractal of bad design
From: ralph@ralphschindler.com (Ralph Schindler)

Hey Lester,

On 4/11/12 3:29 AM, Lester Caine wrote:

> That is almost archaic it's self ...
> It should be replaced with a pointer to using parameters ( no we do not
> need 'prepared statements', just parameters ). One of the first things I
> implement on any code that I'm porting. Does away with any agro over
> escaping strings and is totally save 'injection' wise.

While I generally agree, 'just parameters' does have it's limitations. 
Sometimes there are special character sequences that can be exploited to 
escape out of a quoted value in a SQL string.

Offhand, this comes to mind about MySQL:
http://bugs.mysql.com/bug.php?id=8378

-ralph