| Subject: | Noes not use bind parameters. |
|---|
| Summary: | Package rating comment |
|---|
| Messages: | 2 |
|---|
| Author: | per |
|---|
| Date: | 2014-02-21 22:10:55 |
|---|
| Update: | 2014-02-21 22:29:02 |
|---|
| |
|
|
per rated this package as follows:
| Utility: | Insufficient |
|---|
| Consistency: | Sufficient |
|---|
| Documentation: | Sufficient |
|---|
| Examples: | Sufficient |
|---|
|
|
 per - 2014-02-21 22:10:55 Noes not use bind parameters. Although the sql query is textually excaped, we all know this was insufficient in 2006, and its just plain reckless to not use parameter binding.
per - 2014-02-21 22:29:02 - In reply to message 1 from perI do appreciate a CRUD generator. This code is currently unsuitable for exposure to an internet facing server. Even though you excape your string, I could still give your the variable like... $safe_escaped = '1 UNION SELECT password FROM users. Or use crazy combinations of concat, char, hex, and undex to manually write out my command without your escaped slashes.
|
