It's 2019 and PHP is *still* teaching people to concatenate SQL and vaguely-sanitized user input instead of using prepared statements. http://php.net/manual/en/mysqli.examples-basic.php … They got rid of the mysql module... only to teach people to use mysqli the same way. This is why SQLi isn't going away.
-
I think it's made in case you need to use it for some random reason, but PDO is the way to go in a common scenario. Anyway, the use of a MVC framework is common nowadays and they give you tools to sanitize and filter data. It's still stupid.
But mysqli ***supports prepared statements***, they just aren't using them in the example!
-
-
Well the page says "basic examples", and usually the first thing you learn with DB connections with PHP is just to feed queries to it, and then take care of the security. They have examples for prepared statements tho, and they are in the quickstart guide http://php.net/manual/en/mysqli.quickstart.prepared-statements.php …
-
No, no, no, no, no. You **never** teach people the wrong way to begin with. Teaching the insecure way of doing things first is a *terrible* idea. If they just want to demonstrate a simple query first then it should be a constant one with no variable interpolation.
- Show replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.