Re: Bind Variables and Quoting / Dequoting Input

--- Michael Fuhr <mike@fuhr.org> wrote:

> On Mon, Dec 12, 2005 at 09:08:32AM -0800,
> operationsengineer1@yahoo.com wrote:
> > Mike, thanks.  i was getting quotes inside the
> > database "cells", which is why i had to figure out
> > what was going on.  the data is inserted correctly
> > now, i just want to make sure the process is also
> a
> > safe process.
>
> Using placeholders is supposed to be safe -- that's
> part of the
> rationale for using them -- but you'd have to
> examine the implementation
> to be sure it doesn't have any vulnerabilities.
>
> I see the following in the ADOdb documentation:
>
>     Currently Oracle, Interbase and ODBC supports
> variable binding.
>     Interbase/ODBC style ? binding is emulated in
> databases that
>     do not support binding. Note that you do not
> have to quote
>     strings if you use binding.
>
> If this documentation is up to date then apparently
> the PostgreSQL
> driver does emulation.  Recent versions of
> PostgreSQL (7.4 and
> later) support separation of SQL and parameters at
> the protocol
> layer but you'd have to dig into ADOdb to see if it
> uses that
> capability.

fyi, john's answer from his forum...

Yes, in adodb 4.68, if you are running php5, native
variable binding is used.

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com