Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
drRoss48808y@olback You haven't assigned the apikey variable in there, at least not in the image. Why not wrap all of the $sql variable in double quotes?
-
Wack61918yFirst of all, you should use prepared statements with PDO (have a look here: https://phpdelusions.net/pdo)
If you can't use PDO (and you should only do this in that case!), for the love of Linus Torvalds, at least use the http://php.net/manual/en/... function!
But as I said, if possible use PDO! If it's a bigger project, something like http://www.doctrine-project.org might be appropriate. If you just want to learn how to write queries, it's an overkill, but for a large project, use it. -
olback107948yFor the ppl saying sql injection, i escape string, you just can't see it in this picture.
-
Root797738y@olback
I'm not questioning your ability, and escaping them correctly isn't the issue. It's the practice of doing it in the first place.
It's so easy to make a mistake, and often so difficult to see it -- especially on large, complex queries with lots of interpolation or conditionals. Eventually, on some project in the future, you'll have an injection problem and your database may get compromised.
If you use an orm, solid query builder, prepared statements, etc. this never happens.
Related Rants
If you don't know how to do it the proper way, just throw something together. :D
Might not be pretty, but it works... (only took about 3 hours)
undefined
wk47
php
creative
mysql
sql