Re: SQL Injection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On May 14, 2015, at 8:09 PM, Aziz Saleh <azizsaleh@xxxxxxxxx> wrote:

> 
> 
> On Thu, May 14, 2015 at 9:05 PM, Karl DeSaulniers <karl@xxxxxxxxxxxxxxx> wrote:
> Hello Everyone,
> Have a quick question. Was reading some material and wanted some Players perspective.
> I know w3schools is not the de-facto on everything, so I wanted to know how reliable is the information on this page.
> 
> http://www.w3schools.com/sql/sql_injection.asp
> 
> Namely the @ symbol before SQL Values and because this talks about SQL and not MySQL specifically, does this not apply to MySQL?
> To my uneducated eyes it seems legit. Any clarification is greatly appreciated.
> 
> TIA,
> 
> Best,
> 
> Karl DeSaulniers
> Design Drumm
> http://designdrumm.com
> 
> 
> 
> That is preferred in PHP as well. The SQL/MySQL isn't specifically doing the replacement, but rather the driver object. Using parametrized queries:
> 
> http://php.net/manual/en/pdo.prepared-statements.php  
> 


Thank you Aziz,
Interesting link, thank you for that. I have not worked with prepared statements on my own, just in WordPress.

So the @ symbol is a preferred method even outside the SQL world because?

What specifically is the @ symbol doing? 

From what I read, and from what you just mentioned,
it's the PHP->SQL driver that check this @ symbol and treats the data as literal text?
Meaning it will not execute the text that comes after the @ symbol as code.

Yes?

Best,

Karl DeSaulniers
Design Drumm
http://designdrumm.com


[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux