|
|
|
|
|
|
by setr
1786 days ago
|
|
|
Aren’t you referring to parameterized/prepared queries? Any proper DB driver/library should have this feature. do_sql('SELECT * FROM tab where name = ?", "abc")
https://www.php.net/manual/en/pdo.prepared-statements.phpI recall getting curious when I was younger where the deranged advice of “sanitize your queries” came from — realizing that you should be able to simply tell the database that this is a string, not part of the query itself. SQL injection should barely exist as a concept, let alone be the #1 web vulnerability. IIRC it turned out MySQL supported parameterized queries for ages, but the stdlib php MySQL library just didn’t add support for it. This discovery solidified my understanding that PHP has been giving developers brain damage for decades. |
|
|