From: arne@vajhoej.dk   
      
   On 7/9/2025 3:25 AM, Lawrence D'Oliveiro wrote:   
   > On Tue, 8 Jul 2025 21:54:20 -0400, Arne Vajhøj wrote:   
   >> On 7/8/2025 7:38 PM, Lawrence D'Oliveiro wrote:   
   >>> On Tue, 8 Jul 2025 18:40:31 -0400, Arne Vajhøj wrote:   
   >>>> Dynamically creating SQL string where the dynamic part is for data   
   >>>> is a security disaster waiting to happen (and possible poor   
   >>>> performance as well).   
   >>>   
   >>> That’s a pretty naïve statement to make.   
   >>>   
   >>> Quoting literal data in standard SQL is quite simple: turn the data   
   >>> into a string literal with single quotation marks, and any embedded   
   >>> single quotation marks are written twice. That’s it. Every other   
   >>> character can be represented as itself, literally.   
   >>   
   >> It is an assumption that all developers remember to do it right.   
      
   >>    
   >> Defense Option 4: STRONGLY DISCOURAGED: Escaping All User-Supplied Input   
   >>    
   >   
   > Unfortunately, you often have no choice.   
      
   You practically always have a choice.   
      
   >> Very few API's does not allow prepare/parameters ...   
   >   
   > None of them include support for all the necessary cases.   
      
   People seems to be able to make it do.   
      
   >> Because mysql extension did not support prepare/parameters   
   >> they first added a mysql_escape_string function to do what one   
   >> think should be done.   
   >>   
   >> $s = mysql_escape_string($s);   
   >>   
   >> But clever people found out that the argument list was   
   >> wrong.   
   >   
   > That was just the usual PHP brain damage. Others were able to do it   
   > right from the beginning.   
      
   Your escape function does not have database connection   
   either.   
      
   :-)   
      
   >> error_reporting(E_ERROR);   
   >   
   > Here’s another example of PHP brain damage: the fact that reporting   
   > SQL errors is *optional*!   
      
   ????   
      
   Reporting of SQL errors is not optional in PHP.   
      
   It either give an error code or an exception depending on config.   
      
   error_reporting(E_ERROR) is not to enable errors but to disable   
   warnings. I have a PHP old enough to still have mysql extension,   
   but I do not have a PHP old enough not to give warnings about   
   use of mysql extension.   
      
   Arne   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)