On May 14, 2015, at 8:09 PM, Aziz Saleh <azizsaleh@xxxxxxxxx> wrote: > > > On Thu, May 14, 2015 at 9:05 PM, Karl DeSaulniers <karl@xxxxxxxxxxxxxxx> wrote: > Hello Everyone, > Have a quick question. Was reading some material and wanted some Players perspective. > I know w3schools is not the de-facto on everything, so I wanted to know how reliable is the information on this page. > > http://www.w3schools.com/sql/sql_injection.asp > > Namely the @ symbol before SQL Values and because this talks about SQL and not MySQL specifically, does this not apply to MySQL? > To my uneducated eyes it seems legit. Any clarification is greatly appreciated. > > TIA, > > Best, > > Karl DeSaulniers > Design Drumm > http://designdrumm.com > > > > That is preferred in PHP as well. The SQL/MySQL isn't specifically doing the replacement, but rather the driver object. Using parametrized queries: > > http://php.net/manual/en/pdo.prepared-statements.php > Thank you Aziz, Interesting link, thank you for that. I have not worked with prepared statements on my own, just in WordPress. So the @ symbol is a preferred method even outside the SQL world because? What specifically is the @ symbol doing? From what I read, and from what you just mentioned, it's the PHP->SQL driver that check this @ symbol and treats the data as literal text? Meaning it will not execute the text that comes after the @ symbol as code. Yes? Best, Karl DeSaulniers Design Drumm http://designdrumm.com
