Re: [courier-users] authmysql vs apostrophe

Gordon Messmer wrote:
> Peter Burden wrote:
>> It may be worth using the MySQL function mysql_real_escape_string() which
>> should handle anything that could cause problems. Programmatically this
>> would be much less effort than using prepared statements which require a
>> considerable amount of coding.
>
> I think you've missed the point of this whole thread: string escaping is
> error-prone (particularly with respect to memory) and unnecessarily
> complex. If you've looked at the authmysql driver, you'd see that *not*
> using prepared statements requires "a considerable amount of coding".

That statement is not exact. I think Peter meant that using the
library escape function provides for the minimal amount of coding,
which is correct.

> Prepared statements are the best way to avoid injection attacks,
> simplify code, and (usually) get the best performance possible.

I agree on the first point. Not quite on remaining two ones: IME the
code for prepared statements is more complex (in terms of LOCs) and
the performance increase (2x) is negligible.












































-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757...un.com/javaone
_______________________________________________
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/.../courier-users