Page 1 of 1

SQL parameter binding

Posted: Sat Nov 20, 2010 3:27 pm
by timvw
How many years is it going to take before people finally realise that 'preparing' sql statements and 'binding' parameters is the only sane way to perform queries in a 'safe' way?
(We're like in 2010 and i still see a lot of garbage examples being made... *vent frustration*)

Re: SQL parameter binding

Posted: Mon Nov 22, 2010 4:42 am
by social_experiment
Probably when their sites get exploited, IMO (some) people only learn from experience brought on by a traumatic crack. Or when they start to read, many (if not all) books, pdf's and sites advocate preparing SQL statements.

Re: SQL parameter binding

Posted: Mon Nov 22, 2010 10:16 am
by Weirdan
timvw wrote:How many years is it going to take before people finally realise that 'preparing' sql statements and 'binding' parameters is the only sane way to perform queries in a 'safe' way?
Not until there would be a way in mysql client-server protocol to do this without serious performance degradation.