Page 1 of 1
SQL parameter binding
Posted: Sat Nov 20, 2010 3:27 pm
by timvw
How many years is it going to take before people finally realise that 'preparing' sql statements and 'binding' parameters is the only sane way to perform queries in a 'safe' way?
(We're like in 2010 and i still see a lot of garbage examples being made... *vent frustration*)
Re: SQL parameter binding
Posted: Mon Nov 22, 2010 4:42 am
by social_experiment
Probably when their sites get exploited, IMO (some) people only learn from experience brought on by a traumatic crack. Or when they start to read, many (if not all) books, pdf's and sites advocate preparing SQL statements.
Re: SQL parameter binding
Posted: Mon Nov 22, 2010 10:16 am
by Weirdan
timvw wrote:How many years is it going to take before people finally realise that 'preparing' sql statements and 'binding' parameters is the only sane way to perform queries in a 'safe' way?
Not until there would be a way in mysql client-server protocol to do this without serious performance degradation.