It's 2019 and PHP is *still* teaching people to concatenate SQL and vaguely-sanitized user input instead of using prepared statements. http://php.net/manual/en/mysqli.examples-basic.php … They got rid of the mysql module... only to teach people to use mysqli the same way. This is why SQLi isn't going away.
-
I think the right thing to do with these functions is to slowly deprecate to opt-in. Start by putting warnings on all of these example pages and the doc pages for individual functions (http://php.net/manual/en/mysqli.query.php …); escalate to stdout warnings and eventually a disabled-by-default flag
It is not possible to fix SQLi via deprecation. You need to educate people not to concatenate SQL and data. They already deprecated mysql, which was the old module that *only* supported that. They're just teaching people to use mysqli the wrong way.
-
-
I disagree a bit.. Little is preventing the language from evolving to a point at which the only types allowed in query strings are constants or explicitly-typed passthrough functions that make it clear to say "I know this is potentially unsafe".
-
XSS examples again, but: you want to emit raw HTML using <c:out> in JSTL? You have to set escapeXml="false". Want to do it in React? You have to type "dangerouslySetInnerHTML".
- Show replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.