Securing your MySQL Queries with Sprintf
View Single Post
11-26-2007, 09:11 PM
Join Date: Nov 2007
1. You don't need to use sprintf to secure your queries. Just make sure all user submitted data is the correct data type and strings are escaped (
). IMHO using sprintf makes your code harder to read and is more of a pain than typecasting.
2. Integers are not strings. If in your database you have an integer column type you shouldn't insert a string into that column. It just doesn't make sense. In other words, don't put quotes around integers in your query. I know MySQL allows it but it's not correct.
3. ` is only allowed in MySQL IIRC. It's not needed and doesn't make anything more secure. All it does is enclose table and column names.
View Public Profile
Send a private message to wGEric
Visit wGEric's homepage!
Find More Posts by wGEric