On May 2, 2008, at 8:00 AM, Jason Pruim wrote:

> On May 1, 2008, at 8:31 PM, Chris wrote:
>
>>>> PS... Was it you, Jason, or someone else who asked about the  
>>>> security
>>>> of the community knowing their database structure and I  
>>>> encouraged the
>>>> use of `backticks` around all field and table names?
>>>
>>> Yeah it was me... Old habits die hard :) I'm working on converting
>>> everything :)
>>
>> A little caveat with that:
>>
>> 1) it's mysql specific
>
> Currently the system is just running on my server, and probably  
> always will... so I'm not too worried about it being mysql specific.

So is the query (mysql-specific). If you change to another *SQL, then  
you'll probably have to change the query anyway, so the backticks are  
not the biggest issue and they'll help you in the meantime.


>> 2) I can disable you using backticks
>>
>> http://www.php.net/manual/en/language.operators.execution.php
>
> I'll have to take a look at that and see what it says in a little bit.

As you mentioned Chris, the backticks are in a string, so there's not  
a security risk in this method.

~Philip