As was pointed out previously you’ll want to make sure that
location is the name of a column in the users table or you’ll
still get a SQL error (or worse).
As was pointed out previously you’ll want to make sure that
location is the name of a column in the users table or you’ll
still get a SQL error (or worse).
Yes that works, but my understanding is that this is a SQL injection
risk,
which is why I wanted to use variable binding with a ? in the string.
On Thu, Feb 23, 2006 at 02:51:48PM -0600, Justin J. wrote:
Yes that works, but my understanding is that this is a SQL injection risk,
which is why I wanted to use variable binding with a ? in the string.
Indeed it is if you can’t trust the source of location’s value.
At the very least you have to ‘quote’ its value otherwise you’ll
be wide open to attack.
On Thu, Feb 23, 2006 at 02:51:48PM -0600, Justin J. wrote:
Yes that works, but my understanding is that this is a SQL injection
risk,
which is why I wanted to use variable binding with a ? in the string.
Indeed it is if you can’t trust the source of location’s value.
At the very least you have to ‘quote’ its value otherwise you’ll
be wide open to attack.
I should have clarified in my original post. The value of location is
set
by a paramater on the URL. That is why I wanted to quote it to begin
with.
But it does make more sense to just do an explicit check against the
table
columns before including it. No need for quoting.
Yes that works, but my understanding is that this is a SQL injection risk,
which is why I wanted to use variable binding with a ? in the string.
SQL Injection is mitigating with ? by appropriately quoting input
values. You are trying to substitute and attribute name (not an
attribute value), which will be unquoted, so using ? doesn’t make
sense. Instead, you should check that your location is valid by
comparing it against known good values: