Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
px0622427yI couldn't care less about the fact that the naming is bad but what I do care about is is the fact that whoever wrote this is retarded enough to use mysql_query despite it being deprecated and as mentioned above its 2017 and SQL injections still exist and with so much pressure to use prepared statements or at least mysqli, it's really fucking stupid.
-
rui7257607y@olback can you give examples I am really clueless with sql injection I only know that you can prevent sql injections with placeholders
-
olback107947y@rui725 Just search the internet, there are many good examples and explanations out there.
Edit: I'm way too tired to explain right now, 3:30 in the morning, sorry :/ -
Voxera113887y@rui725 basic sql injection protection is to make sure you do not let any external data into the sql without checks.
One way is to use .net sql parameters or something equivalent.
Then the query engine knows it is data and handles checking and escaping for you.
If you have to roll your own make a set of data methods for the different types, number, string, boolean ...
That method does checking, like verifying that the number is a number or escapes strings by doubling all ‘ and adding ‘ on the sides.
Then you ALWAYS use the methods for all data no matter the source.
Never trust any data to be pre validated.
Of cause if you have strict typing you do not have to check an integer, it will not contain any secrets ;)
Also, the methods have to be easy to use an preferably convenient so that laziness works towards security. :D -
Got triggered with the style in the <div> and the mysql_* function that is deprecated since a year and a half. Punch the dude for me, please.
-
Baguette4257yIs the qurey the only problme you see in this Line ??
If yes , you ain't better than your Friend :(
Related Rants
Was my prev dev fucking high or what?
Who names an UPDATE Query as delete.
That shitfuck deserves a special place in hell.
undefined
fuck logic