[nycphp-talk] Not-so-subtle attack on PHP
csnyder
chsnyder at gmail.com
Thu Sep 27 09:11:34 EDT 2007
On 9/26/07, John Campbell <jcampbell1 at gmail.com> wrote:
> > My personal favorite:
> > public function esc( $value ) {
> > return mysql_real_escape_string( $value, $this->db );
> > }
>
> If that is your personal favorite, you are justifying the the article.
> All you have to do is forget to use single quotes once and your site
> is vulnerable. Step up and start using prepared queries.
Hmm, yeah I probably should, now that everything is php5.
I need to create SQL snippets that get embedded in multiple and
modular queries, like "obj.priority > 99 AND obj.title='Foo' "... is
there a way to "pre-prepare" that? Or will I need to pass an object
around with the statement "obj.priority > ? AND obj.title=?" and the
two values as properties?
--
Chris Snyder
http://chxo.com/
More information about the talk
mailing list