Jay Taylor wrote:
>
>
> Daniel Convissor wrote:
>> In your initial post, I thought you were talking
about
>> values. I think automatically delimiting
identifiers is a bad idea.
>>
>> Field names entered into queries from program
settings like
>> this does not constitute SQL injection.
>
> Does it account for someone having previously fed it a
quoted fieldname? Or
> will it double quote things?
>
> If it can account for that..what is the harm? Dan may
have a valid point,
> I'm just not sure from what he wrote what makes it a
bad idea (other than
> that it is not necessary).
>
> What potential problems might we face?
I doubt he has added quote to add previous quoting, nor is
this really
easily possible since some RDBMS quote differently.
regards,
Lukas
--
PEAR Development Mailing List (http://pear.php.net/)
To unsubscribe, visit: http://www.php.net/unsub
.php
|