deleting syntax w/ PHP's PDO

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

deleting syntax w/ PHP's PDO

Sam Carleton-2
This might be a really basic question and it might be PHP related, not
SQLite, I am not sure...

I know that the traditional way to do a delete would be this:

DELETE FROM users WHERE ipaddress = '192.168.1.1'

But I have also seen syntax where the actual statement does NOT
contain the '192.168.1.1' but rather a ? and then the value is set as
a parameter on, in my case,  PDO object.  It is my understanding that
using the ? is much more secure then the traditional way above.  Where
might I go to learn more about the ? way of doing a delete?

Sam
_______________________________________________
sqlite-users mailing list
[hidden email]
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: deleting syntax w/ PHP's PDO

Cory Nelson
On Feb 16, 2008 7:08 PM, Sam Carleton <[hidden email]> wrote:

> This might be a really basic question and it might be PHP related, not
> SQLite, I am not sure...
>
> I know that the traditional way to do a delete would be this:
>
> DELETE FROM users WHERE ipaddress = '192.168.1.1'
>
> But I have also seen syntax where the actual statement does NOT
> contain the '192.168.1.1' but rather a ? and then the value is set as
> a parameter on, in my case,  PDO object.  It is my understanding that
> using the ? is much more secure then the traditional way above.  Where
> might I go to learn more about the ? way of doing a delete?
>

It is not any more secure, just more foolproof.  You don't have to
worry about injection attacks and it might even be faster, especially
if you re-use the statement.

--
Cory Nelson
_______________________________________________
sqlite-users mailing list
[hidden email]
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: deleting syntax w/ PHP's PDO

Eugene Wee
In reply to this post by Sam Carleton-2
Hi Sam,

Although what you refer to applies more generally (e.g., the SQLite C
API has support for it), in this case the best reference would be the
PHP Manual's entry on the PDO extension:
http://www.php.net/manual/en/ref.pdo.php

In particular, read the section on "Prepared statements and stored
procedures". For further reading:
http://www.php.net/manual/en/function.PDO-prepare.php
http://www.php.net/manual/en/function.PDOStatement-bindParam.php

Regards,
Eugene Wee

Sam Carleton wrote:

> This might be a really basic question and it might be PHP related, not
> SQLite, I am not sure...
>
> I know that the traditional way to do a delete would be this:
>
> DELETE FROM users WHERE ipaddress = '192.168.1.1'
>
> But I have also seen syntax where the actual statement does NOT
> contain the '192.168.1.1' but rather a ? and then the value is set as
> a parameter on, in my case,  PDO object.  It is my understanding that
> using the ? is much more secure then the traditional way above.  Where
> might I go to learn more about the ? way of doing a delete?
>
> Sam
_______________________________________________
sqlite-users mailing list
[hidden email]
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users