[Solar-talk] Re: Solar_Sql function _getTypeSizeScope returns
incorrect type
Andreas Ravnestad
andreas.ravnestad at gmail.com
Wed Jul 11 17:52:18 CDT 2007
Paul M Jones and Pierre Oztel wrote:
>> Here's a list of suggestion that i'd like Solar to implement:
>>
>> - 100% of the queries are prepared statement, no quote
>
> *Almost* all queries can work this way, and all the automated query
> methods do in fact work like this. However, it's not possible to
> force developers to use prepared statements; they can always do scary
> stuff if they want to:
>
> $sql->query("SELECT id FROM table_name WHERE id = \'{$_GET['id']}\'")
>
> Best I can do is to make it really really easy to build prepared
> statements:
>
> $sql->query(
> "SELECT id FROM table_name WHERE id = :id",
> array('id' => (int) $_GET['id'])
> );
>
Just a quick note about prepared statements and software security and
best practices etc - this is a good opportunity to educate newcomers!
Specifically, I suggest that any official examples using SQL inserts
should use syntax for prepared statements (like the one immediately
above), and warn about the dangers of SQL injections.
On a personal note and as some justification for my suggestion, I would
have saved myself alot of grief if I had learned about prepared
statements earlier in life :)
-Andreas
More information about the Solar-talk
mailing list