in reply to
Preventing SQL injection attacks: Placeholders are enough for MySQL, Postgresql and SQLite
Here are my thoughts...
- You should not rely upon what a particular DBI-implementation actually does with “a parameterized query.”
Nevertheless... you should know your own business. You should know what parameters you are expecting, and for each one you should know (a) that the value is “a scalar” and (b) what regular-expression pattern it should match.
Both of these considerations will be “specific to your application,” and therefore you should bear the first level of responsibility for ensuring conformance to them.