|
|
|
|
|
|
by mike22
1647 days ago
|
|
|
> You would be right to expect the DB library to escape the string so that no SQL injection is possible. SQL in some (hopefully good number of) cases is much safer than that. Going with MySQL prepared statements here: parameters are not sustituted into the SQL statement string, but rather sent as seperate data packets in the wire protocol. |
|
|