[nycphp-talk] PEAR:DB & SQL Injection
Daniel Convissor
danielc at analysisandsolutions.com
Tue Mar 8 18:34:59 EST 2005
Hi Jeff:
On Tue, Mar 08, 2005 at 04:25:39PM -0500, Jeff Loiselle wrote:
> When using prepare() and execute() in PEAR:DB, is there still
> possibility of SQL injection attakcs?
No, but it guards you against "attacks." :)
While prepare/execute should solve most issues, I always strictly check
incoming data. If the column is an integer, I make sure the data only
contains integers and isn't too long. Etc...
--Dan
--
T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y
data intensive web and database programming
http://www.AnalysisAndSolutions.com/
4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409
More information about the talk
mailing list