Re: sql injection
- Posted by Jeremy Cowgar Jul 13, 2008
- 721 views
Matt Lewis said...
If I read this correctly, you're taking an escape approach, rather than using parameters? What about prepared statements?
Prepared statements are not supported yet It may very well change the design overall. One difficulty with prepared statements and a DBI is how each database may do it slightly different and some databases do not do it at all ... Some use ?, others use %1, %2, %3. I am not yet sure how to go about handling it. I am open to suggestions.
Jeremy