Parameterizing a SQL Query

rickzki

I'm primarily a ColdFusion coder, but I do occasionally work in PHP. In CF there is a tag that can be used within your SQL query called <cfqueryparam>. The purpose of doing so is to prevent a SQL Injection Attack by parameterizing the comparison value in the WHERE clause. This way somebody can't just put a semicolon after an URL parameter and start dropping tables on you. Does PHP have an equivalent to the <cfqueryparam> tag in ColdFusion?

Thanks!

Rick

Krait

I believe that you're referring to prepared queries. See this, for example.

superwormy

No, you'll need to write your own function, or just start escaping data / making sure its safe.

www.php.net/mysql_escape_string
www.php.net/addslashes
www.php.net/strip_tags