Kenn Humborg wrote:
>>> But - using multiple statements in single calls is an invitation for
>>>>How so ?
>>>>Once you validate your user input doesn't have SELECT, "DELETE"...
>>INSERT DROP or other harmful statments.... how does it make a difference
>>*how many* statments in the one execute operate on this data ?
>>> Does PHP require that you manually insert arguments in SQL strings?
>> Surely you can use something like ADO's positional parameters
> (warning! VB code):
> cmd.CommandText = "SELECT a FROM b WHERE ID = ?"
> cmd.CommandType = adCmdText
> cmd.Parameters.Append cmd.CreateParameter("ID",
> adChar, adParamInput, , "fred")
> where "fred" could be user-supplied data.
>> It then becomes the database access layer's problem to figure
> out how to safely quote the arguments.
>> ADO.NET does one better by using named arguments, so you don't need
> to manually keep the Parameters.Append statements in the same order
> as the '?'s in the query string.
>> Please tell me PHP has a database access library that provides this
> type of facility...
It should be relatively easy to do in virtually any language.... but
(why) would you want to do it that way ?
There may even be a mod_ado for php, I don't know about ADO..
I guess if you were really *really* determined... you could have a
Postgre function or MySQL (version 5?) stored procedure *validate* it's
But... wouldn't it just be a whole lot simpler (and less wasteful) to
validate the data ... as soon as it's input ?
Moreover... I'm still not seeing a huge advantage in using automagic ADO
parameters... at all really.
Perhaps you could give some more examples ?
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!