It's 2019 and PHP is *still* teaching people to concatenate SQL and vaguely-sanitized user input instead of using prepared statements. http://php.net/manual/en/mysqli.examples-basic.php … They got rid of the mysql module... only to teach people to use mysqli the same way. This is why SQLi isn't going away.
-
Would be nice if there was a php.ini vary to disable non-prepared statements, but I can only imagine how much code would break. Definitely would need to be done at vhost/directory level.
You can still inject SQL with prepared statements, and not using them for queries without any interpolated data is perfectly legitimate. Barring some *very* fancy language features, this is something you can only fix via education.
-
-
Agreed, I can think of cases where I might use legitimately use a non-prepared statement. Can you give me example of SQLi against a prepared statement?
-
mysqli->prepare("SELECT * FROM users WHERE username = $username"); Nothing stops you from using prepared statements and then still sticking data in the SQL directly.
- Show replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.