[Info-vax] Any stronger versions of the LMF planned ?, was: Re: LMF Licence Generator Code
Arne Vajhøj
arne at vajhoej.dk
Thu Aug 12 20:53:29 EDT 2021
On 8/12/2021 7:46 PM, Lawrence D’Oliveiro wrote:
> On Thursday, August 12, 2021 at 7:15:02 PM UTC+12, Jan-Erik Söderholm
> wrote:
>> Den 2021-08-12 kl. 08:58, skrev Lawrence D’Oliveiro:
>>> But it turns out the best way to interface to a relational DBMS
>>> is to generate SQL query strings.
>>
>> No, it is not. It is inefficient (since it needs to "compile" the
>> SQL at each execution) and dynamical SQL statements are the source
>> for "SQL injection" issues.
>
> Ah, the mindless knee-jerk reaction yet again. No, the source of
> embedded-language issues is improper quoting of embedded parameter
> values. I see this a lot in PHP code that I am called upon to fix!
> All the good DBMS APIs I have come across offer a
> “format_sql_value()” function, or equivalent, to address precisely
> this problem.
You should not use such a function in PHP.
PDO: call prepare with placeholders and execute with parameter array.
mysqli: call prepare with placeholders, bind_param with parameters and
execute.
pgsql: call prepare with placeholders and execute with parameter array.
Arne
More information about the Info-vax
mailing list