> > But - using multiple statements in single calls is an invitation for
> > injection attacks.
>> How so ?
>> Once you validate your user input doesn't have SELECT, "DELETE"...
> INSERT DROP or other harmful statments.... how does it make a difference
> *how many* statments in the one execute operate on this data ?
Does PHP require that you manually insert arguments in SQL strings?
Surely you can use something like ADO's positional parameters
(warning! VB code):
cmd.CommandText = "SELECT a FROM b WHERE ID = ?"
cmd.CommandType = adCmdText
cmd.Parameters.Append cmd.CreateParameter("ID",
adChar, adParamInput, , "fred")
where "fred" could be user-supplied data.
It then becomes the database access layer's problem to figure
out how to safely quote the arguments.
ADO.NET does one better by using named arguments, so you don't need
to manually keep the Parameters.Append statements in the same order
as the '?'s in the query string.
Please tell me PHP has a database access library that provides this
type of facility...
Later,
Kenn
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
