Chris's Wiki :: blog/programming/SQLPlaceholders Commentshttps://utcc.utoronto.ca/~cks/space/blog/programming/SQLPlaceholders?atomcommentsDWiki2013-05-28T07:51:38ZRecent comments in Chris's Wiki :: blog/programming/SQLPlaceholders.From 91.198.246.131 on /blog/programming/SQLPlaceholderstag:CSpace:blog/programming/SQLPlaceholders:ddfe518351fad8957d7738fa21f83a9ec5dd3daeFrom 91.198.246.131<div class="wikitext"><p>Actually, when your SQL server doesn't support placeholders and prepared
statements, you still benefit from them.</p>
<p>If you don't use them, you have to quote correctly <strong>every</strong> parameter, and
it's enough to leave just one to create SQL injection vulnerability.</p>
<p>On the other hand, if you use placeholders, you leave all the remembering how
to quote stuff right to your library. It's way easier to do quoting right once
in the library, and then allow the library to carry the rest.</p>
<p>--
dozzie</p>
</div>2013-05-28T07:51:38Z