The state of PHP security
Posted Dec 21, 2006 19:04 UTC (Thu) by iabervon
In reply to: The state of PHP security
Parent article: The state of PHP security
I still think the solution to SQL access is to remove support for using strings as SQL statements, and instead have a "SQL statement" type, with functions to append statement text (with it being an error to include any single quotes in this) and to append constants. This is easier to use and read than concatenating strings anyway, and can be implemented safely regardless of what the foolish users do.
to post comments)