[vox-tech] BSD versus Linux (and SQL/PHP/magic quoting)
Ken Bloom
kabloom at ucdavis.edu
Fri Mar 18 11:01:13 PST 2005
On Fri, 18 Mar 2005 10:57:34 -0500
p at dirac.org (Peter Jay Salzman) wrote:
> Obtech: I tried to consolidate my knowledge of PHP, magic quotes, and
> SQL. This is my complete understanding on the topic:
>
> http://www.dirac.org/linux/sql_quoting.html
>
> If someone has the time to comment on it and tell me whether I got it
> right or wrong, I'd appreciate it. (This is what I was trying to read
> about when I stumbled onto the avatar above).
>
> Pete
Does PHP not have ?-parameter substitution (so you can say
SELECT * FROM table WHERE stringattribute=?
and substitute the ? with a string that is properly quoted according to
the language conventions?
For example, in Java
java.sql.Connection c;
//initialize this however you need to connect to the database
java.sql.PreparedStatement s=c.prepareStatement(
"SELECT * FROM table WHERE stringattribute=?"
);
s.setString(1,"It's easy to see that you couldn't embed "+
"this in the statement itself");
java.sql.ResultSet r=s.executeQuery();
This is probably the best way to avoid excaping problems.
--Ken Bloom
--
I usually have a GPG digital signature included as an attachment.
See http://www.gnupg.org/ for info about these digital signatures.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://ns1.livepenguin.com/pipermail/vox-tech/attachments/20050318/6df797a0/attachment.bin
More information about the vox-tech
mailing list