On 10.08.2015 at 11:57, Craig Francis wrote: > You only have to skim read things like the second comment (with 27 up votes) > on the PDO prepare page to see that these problems are happening all the time: > > > http://php.net/manual/en/pdo.prepare.php#111458 > SELECT * FROM users WHERE $search=:email
"Skim reading" things might be the problem (here). The user contributed note states: | In my case I allow the user to enter their username or email, | determine which they've entered and set $search to "username" or | "email". As this value is not entered by the user there is no | potential for SQL injection and thus safe to use as I have done. So to me that note looks pretty fine. -- Christoph M. Becker -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php