It's 2019 and PHP is *still* teaching people to concatenate SQL and vaguely-sanitized user input instead of using prepared statements. http://php.net/manual/en/mysqli.examples-basic.php … They got rid of the mysql module... only to teach people to use mysqli the same way. This is why SQLi isn't going away.
-
Agreed, I can think of cases where I might use legitimately use a non-prepared statement. Can you give me example of SQLi against a prepared statement?
mysqli->prepare("SELECT * FROM users WHERE username = $username"); Nothing stops you from using prepared statements and then still sticking data in the SQL directly.
-
-
*facepalm* The language really should treat that as string ‘$username’ and not evaluate it, but I’ve never thought to try. You’d have to be pretty dense to throw variables in like this though.
-
PHP interpolates variables between "". But even if it didn't, nothing stops you from explicitly concatenating...
- Show replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.