It's 2019 and PHP is *still* teaching people to concatenate SQL and vaguely-sanitized user input instead of using prepared statements. http://php.net/manual/en/mysqli.examples-basic.php … They got rid of the mysql module... only to teach people to use mysqli the same way. This is why SQLi isn't going away.
-
Or at least perhaps put a big red warning on it saying 'dont actaully do this' I suppose
Sure, but the fact that the PHP community hasn't fixed literally the first result every newbie is going to find to talk to a database with PHP is just a massive reflection of how terrible they still are at security. Decades of SQL injections and this is what they're teaching?
