A DAL-level SQL injection protection is a good idea?
Posted: Fri Sep 12, 2008 5:06 pm
Hi,
I'm done with developers of my project to write non-SQL-injection safe code. I want my DAL to do it.
Here's what I have done so far:
This way no one can insert non-SQL-injection safe code. BUT I WAS WRONG. Anyone can do:
Anyone might do the above which is obviously a huge danger. Instead he should do "WHERE c=?" and use bind() <_<
What can I do?
I'm done with developers of my project to write non-SQL-injection safe code. I want my DAL to do it.
Here's what I have done so far:
Code: Select all
$db -> prepare('INSERT INTO a (a,b,c,d) VALUES (?,?,?,?)');
$db -> bind($a,$b,$c,$d); // Another way is to separately put bind($a) bind($b) etc...
$db -> exec();Code: Select all
$db -> prepare('SELECT a FROM b WHERE c=$d");
$db -> exec();What can I do?