I think what Matt is saying is pretty standard.
Basically you should format your SQL to use things like
Prepare mysqlstmt as "select ... where mycolumn is > ? and < ?"
Execute mysqlstmt using :hostvariable1, :hostvariable2
You should NOT do
Prepare mysqlstmt as "..." concat :whateverTheUserTypedIn concat...
as the latter is where you'll get hit with SQL injection attacks.
This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact