It's 2019 and PHP is *still* teaching people to concatenate SQL and vaguely-sanitized user input instead of using prepared statements. http://php.net/manual/en/mysqli.examples-basic.php … They got rid of the mysql module... only to teach people to use mysqli the same way. This is why SQLi isn't going away.
-
Well the page says "basic examples", and usually the first thing you learn with DB connections with PHP is just to feed queries to it, and then take care of the security. They have examples for prepared statements tho, and they are in the quickstart guide http://php.net/manual/en/mysqli.quickstart.prepared-statements.php …
No, no, no, no, no. You **never** teach people the wrong way to begin with. Teaching the insecure way of doing things first is a *terrible* idea. If they just want to demonstrate a simple query first then it should be a constant one with no variable interpolation.
-
-
I totally agree, but for someone that has been programming PHP for little time it may feel overwhelming to construct a query instead of operating with the DB the same way they do on console/DB client/whatever they use to send queries.
-
If you have no prior experience with programming at all, then it's pretty likely that you've never used a command-line client to send an SQL query either; so a "this is the shape of the query, these are the values" model is *more* intuitive than gluing it all together.
- Show replies
New conversation -
-
-
The project we are doing in my job is a complete mess, just to give you a taste of it, EVERY MODEL FUNCTION WE MAKE is written in a file called "dbmanager.php". That file is like 65k lines long. With this I mean that I see mandatory teaching good practice from the begining.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.