It's 2019 and PHP is *still* teaching people to concatenate SQL and vaguely-sanitized user input instead of using prepared statements. http://php.net/manual/en/mysqli.examples-basic.php … They got rid of the mysql module... only to teach people to use mysqli the same way. This is why SQLi isn't going away.
-
I disagree a bit.. Little is preventing the language from evolving to a point at which the only types allowed in query strings are constants or explicitly-typed passthrough functions that make it clear to say "I know this is potentially unsafe".
Okay... Sure, that's *technically* possible, but that's so far out of PHP land that there's no way it will ever happen. That's more like Rust territory.
-
-
You might right (I know zilch about PHP planning strategy); but again: they've thrown out bad default behavior before. More importantly: there's value in realizing that there is the potential for improvements. If "they're going to concat strings anyway", make "them" work for it
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.