in reply to Re: Hacker Proofing My Script
in thread Hacker Proofing My Script
Placeholders are not the same as "automatic quoting rules". The $dbh->quote() method applies quoting to the values and then those are *inserted into the SQL statement* and that SQL statement is passed to the RDBMS. OTOH, for an RDBMS that supports placeholder, and when placeholders are used instead of $dbh->quote(), the values are not quoted, *are not inserted into the SQL statement*, and are passed separately to the RDBMS along with the SQL statement which still has placeholders marks in it. The RDBMS than operates on the statement + the values without ever needing to create a SQL statement that contains the values and therefore without the danger of having unkown SQL statements (injected as values) executed. So if the RDBMS supports placeholders (as distinct from a DBD that emulates them), placeholders are much more secure than quoting, even quoting with $dbh->quote().