Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple APILearn More
I came in to my rather new team 3 months ago as a php developer and had to start coding in python instead, and all of my 4 new coworkers were quite sufficient in python (or so they claimed) due to working with it for years. When I looked into the database handler they had built it had no support for prepared statements, so when I asked them about it they didn't even know that was a thing. They were preformatting all of their queries for all these years, in production. And they are all at least 10 years older than me with that much more experience as well. I got quite scared for the company's future after that.
"Not even at gunpoint."
sebh06025364yWhy? (I don't know anything about sql)
Imagine your code looks like this:
db.query("INSERT INTO Students VALUES ('" + name + ');");
Then your friendly neighborhood school tries to add your kid named
Robert'); DROP TABLE Students;--
Well, then the query you run winds up looking more like this...
INSERT INTO Students VALUES ('Robert'); DROP TABLE Students;--');
You can probably guess what a semicolon does, what DROP TABLE is, and that "--" is a SQL comment...
iguana8394yWhat page is that in the Python docs?