Re: More PHP DB abstraction layer stuff

On Fri, 24 Jan 2003, Dennis Gearon wrote:

> could you elaborate on:
>
>     Place holders ( those are in prepared queries, yes?)
>     out of band?
>
> 1/24/2003 9:22:42 AM, Greg Stark <gsstark@mit.edu> wrote:
>
> >
> >But the best way to deal with this is to use placeholders and prepared queries
> >and provide the data out of band. This completely sidesteps the issue and
> >guarantees you can't get it wrong by mistake ever. Mixing user-provided data
> >with program code is a recipe for security holes.

In perl with DBI:

$sth = $dbh->prepare("SELECT * FROM mytable WHERE id = ?");
$sth->execute($idvalue);

I didn't even know it was possible in PHP. I've never used it before.


--
Nigel J. Andrews