SQL parameter binding

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

SQL parameter binding

Post by timvw »

How many years is it going to take before people finally realise that 'preparing' sql statements and 'binding' parameters is the only sane way to perform queries in a 'safe' way?
(We're like in 2010 and i still see a lot of garbage examples being made... *vent frustration*)
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: SQL parameter binding

Post by social_experiment »

Probably when their sites get exploited, IMO (some) people only learn from experience brought on by a traumatic crack. Or when they start to read, many (if not all) books, pdf's and sites advocate preparing SQL statements.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Re: SQL parameter binding

Post by Weirdan »

timvw wrote:How many years is it going to take before people finally realise that 'preparing' sql statements and 'binding' parameters is the only sane way to perform queries in a 'safe' way?
Not until there would be a way in mysql client-server protocol to do this without serious performance degradation.
Post Reply