Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:59737 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 66244 invoked from network); 11 Apr 2012 16:06:38 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 Apr 2012 16:06:38 -0000 Authentication-Results: pb1.pair.com header.from=lester@lsces.co.uk; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=lester@lsces.co.uk; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain lsces.co.uk from 213.123.20.125 cause and error) X-PHP-List-Original-Sender: lester@lsces.co.uk X-Host-Fingerprint: 213.123.20.125 c2bthomr07.btconnect.com Received: from [213.123.20.125] ([213.123.20.125:24829] helo=mail.btconnect.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 44/E4-36454-90CA58F4 for ; Wed, 11 Apr 2012 12:06:34 -0400 Received: from host81-138-11-136.in-addr.btopenworld.com (EHLO _10.0.0.5_) ([81.138.11.136]) by c2bthomr07.btconnect.com with ESMTP id HEF48171; Wed, 11 Apr 2012 17:06:31 +0100 (BST) Message-ID: <4F85AC06.50102@lsces.co.uk> Date: Wed, 11 Apr 2012 17:06:30 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:11.0) Gecko/20120312 Firefox/11.0 SeaMonkey/2.8 MIME-Version: 1.0 To: PHP internals References: <4F8540E8.6050503@lsces.co.uk> <4F85A771.1070005@ralphschindler.com> In-Reply-To: <4F85A771.1070005@ralphschindler.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mirapoint-IP-Reputation: reputation=Fair-1, source=Queried, refid=tid=0001.0A0B0301.4F85AC06.004C, actions=TAG X-Junkmail-Premium-Raw: score=7/50, refid=2.7.2:2012.4.5.53315:17:7.944, ip=81.138.11.136, rules=__MOZILLA_MSGID, __HAS_MSGID, __SANE_MSGID, __USER_AGENT, __MIME_VERSION, __TO_MALFORMED_2, __BOUNCE_CHALLENGE_SUBJ, __BOUNCE_NDR_SUBJ_EXEMPT, __SUBJ_ALPHA_END, __CT, __CT_TEXT_PLAIN, __CTE, URI_ENDS_IN_PHP, __ANY_URI, __URI_NO_MAILTO, __CP_URI_IN_BODY, BODY_SIZE_1300_1399, BODYTEXTP_SIZE_3000_LESS, __MIME_TEXT_ONLY, RDNS_GENERIC_POOLED, HTML_00_01, HTML_00_10, BODY_SIZE_5000_LESS, RDNS_SUSP_GENERIC, RDNS_SUSP, BODY_SIZE_2000_LESS, BODY_SIZE_7000_LESS X-Junkmail-Status: score=10/50, host=c2bthomr07.btconnect.com X-Junkmail-Signature-Raw: score=unknown, refid=str=0001.0A0B020A.4F85AC07.00C0:SCFSTAT14830815,ss=1,re=-4.000,fgs=0, ip=0.0.0.0, so=2011-07-25 19:15:43, dmn=2011-05-27 18:58:46, mode=multiengine X-Junkmail-IWF: false Subject: Re: [PHP-DEV] [off] PHP: a fractal of bad design From: lester@lsces.co.uk (Lester Caine) Ralph Schindler wrote: > Hey Lester, > >> That is almost archaic it's self ... >> It should be replaced with a pointer to using parameters ( no we do not >> need 'prepared statements', just parameters ). One of the first things I >> implement on any code that I'm porting. Does away with any agro over >> escaping strings and is totally save 'injection' wise. > > While I generally agree, 'just parameters' does have it's limitations. Sometimes > there are special character sequences that can be exploited to escape out of a > quoted value in a SQL string. > > Offhand, this comes to mind about MySQL: > http://bugs.mysql.com/bug.php?id=8378 Well if you must use a simple database ;) I've never used MySQL simply because it has yet to get to the same standard as Firebird ... But I'm talking about passing parameters direct to '?' entries in the SQL - something which if it CAN be broken then the database is also broken? The database handles the 'data' going into a single field at a time. -- Lester Caine - G8HFL ----------------------------- Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk// Firebird - http://www.firebirdsql.org/index.php