Re: Bind Variables and Quoting / Dequoting Input

--- Michael Fuhr <mike@fuhr.org> wrote:

> On Fri, Dec 09, 2005 at 06:22:29PM -0700, Michael
> Fuhr wrote:
> > On Fri, Dec 09, 2005 at 01:54:13PM -0800,
> operationsengineer1@yahoo.com wrote:
> > > do i need to quote input even though i'm using
> bind
> > > variables in my queries?
> > >
> > > i seem to think that quoting on entry and
> unquoting on
> > > return was a method for fighting sql injection,
> but
> > > i'm also thinking that bind variables may make
> that
> > > step meaningless.
> >
> > Using placeholders should eliminate the need to
> quote, either by
> > quoting for you or by using the underlying
> protocol's mechanism for
> > parameterized queries.
>
> I might have misunderstood what you meant by "bind
> variables."
> Could you explain exactly what you're doing?

yes... this is an adodb code snippet:

> $sql_insert = <<<_EOSQL
> INSERT INTO t_customer (customer_id, customer_name,
> customer_entry_date)
> VALUES (?,?,?)
> _EOSQL;
>
> $result = $db->Execute($sql_insert,
> array($customer_id, $customer_name, $db->DBDate(time())));

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com