Re: sql injection

new topic     » goto parent     » topic index » view thread      » older message » newer message
Jeremy Cowgar said...

That's really a job for the database library you are using because different database servers escape characters differently. Some may use '' to escape a single quote, others will use \'. Now, the way I did it in my unfinished DBI library was to allow you to do things such as:

If I read this correctly, you're taking an escape approach, rather than using parameters? What about prepared statements?

Matt

new topic     » goto parent     » topic index » view thread      » older message » newer message

Search



Quick Links

User menu

Not signed in.

Misc Menu