Escaping field and table names in PDO statements
PDO is Chuck Norris (or whomever you believe in as the divine force that created earth) gift to PHP developers. It takes the hassle of securing your sql queries against sql injections and other nasty stuff.
But it has one weakness. It has no method of escaping table and field names. So how do we do it? The only solution I see is to quote table names (or field names) with backquote (`) and then disallow backslash, backquote and the nul character:
I should probably also note that this is a mySQL only solution. If you are interested on more details have a look here.
Search
Archive
- December 2011 (5)
- August 2011 (1)
- July 2011 (2)
- March 2011 (1)
- February 2011 (2)
- January 2011 (1)
- August 2009 (3)
- January 2009 (3)
- December 2008 (3)
- September 2008 (1)
User login
