Re: Prepared Statements

>
>
>In my understanding the prepared statement will properly escape any
>parameter so it can be trusted that the resulting query will not contain
>something you wouldn't expect. Example (< and > are delimiters, ignore
>them):
>
>query: <SELECT * from address_book WHERE name = ?>
>
>input: <joe';delete from address_book where 'true>
>
>result if you just replace the <?> with <'$input'>:
>SELECT * from address_book WHERE name = 'joe';delete from address_book
>where 'true'
>-> results in 2 statements executed
>
Nope. You missed a quote :-)

The resulting query would be:
SELECT * from address_book WHERE name = 'joe'';delete from address_book 
where 'true';

This will be a syntax error - not "2 statements executed"... not even 
one statement :-)

But that's not the point anyway.
The app that accepts user input the way you describe and just puts 
quotes around it is of little use anyway ...
To be useful, it would have to take care about escaping the special 
characters on its own - not even to prevent "injection attacs", but just 
to be functional in the way that doesn't generate unexpected syntax 
errors (or just totally wrong data being entered)  just because the 
user's input happens to contain a character that has a special meaning 
to the parser.

Dima