|
|
|
|
|
|
by imtringued
1204 days ago
|
|
|
>No matter what you do on the client side, the database engine itself should escape/validate the data. Didn't we learn that lesson with PHP? You apparently didn't learn any lesson from PHP. The impossibility of the database engine to distinguish a code from a data character is what lead to SQL injections in the first place. It doesn't matter whether you replace the template expression with a ? or with $1. The database receives the parameters outside the SQL query and treats them as user input either way. |
|
|