It's 2019 and PHP is *still* teaching people to concatenate SQL and vaguely-sanitized user input instead of using prepared statements. http://php.net/manual/en/mysqli.examples-basic.php … They got rid of the mysql module... only to teach people to use mysqli the same way. This is why SQLi isn't going away.
-
-
Well the page says "basic examples", and usually the first thing you learn with DB connections with PHP is just to feed queries to it, and then take care of the security. They have examples for prepared statements tho, and they are in the quickstart guide http://php.net/manual/en/mysqli.quickstart.prepared-statements.php …
-
No, no, no, no, no. You **never** teach people the wrong way to begin with. Teaching the insecure way of doing things first is a *terrible* idea. If they just want to demonstrate a simple query first then it should be a constant one with no variable interpolation.
- Show replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.