Re: SQL injection

Hannes Dorbath wrote:
> On 03.11.2005 04:12, Alex Turner wrote:
>
>> I would have to say that for security purposes - I would want magic
>> quotes _on_ rather than off for the whole reasons of SQL Injection
>> that we already talked about.
>
>
> magic_quotes is evil and does if anything only prevent the simplest
> cases of SQL injections. Keep it turned off. Use
> http://php.net/pg_query_params exclusively to build secure queries..
>
>

The problem with pg_query_params is that you will be forced to use an RC
version of PHP.... I don't know about you but I think that for
production sites I prefer to use the final versions.

I think that prepared statements is the best solution here even if its
encumbering everything alittle...