[TYPO3-Performance] Prepared statements

Martin Kutschker masi-no at spam-typo3.org
Thu Nov 20 09:35:14 CET 2008


Vahan Amirbekyan schrieb:
> prepared statements are immune to SQL injection.

What makes you think this is so? You can still add input to the query.

eg "SELECT foo FROM bar WHERE x = {$_GET[arg]} AND y = ?"

Masi


More information about the TYPO3-Performance mailing list