in reply to encoding to prevent sql injection in both perl and php
However, I really wonder if escaping the data when storing it in the sqlite database is a good thing. Rather than blindly accepting any odd data and relying on the sqlite_escape_string function to store it safely into the database, IMHO one should validate the data before storing it and rejecting data which has unacceptable content. Of course the fact that sqlite can store any type of data in any column whatever its declared data-type (some consider this a bug, other think it is a feature) allows you to be careless in storing data and there is really no need --it seems-- to encode/decode your data.
Of course since MySQL uses static typing for its columns you must take care of what you are storing, unless you always use BLOB-columns.
CountZero
"If you have four groups working on a compiler, you'll get a 4-pass compiler." - Conway's Law
|
---|
Replies are listed 'Best First'. | |
---|---|
Re^2: encoding to prevent sql injection in both perl and php
by herveus (Prior) on Aug 24, 2006 at 23:45 UTC |