On May 14, 2015, at 8:09 PM, Aziz Saleh <azizsa...@gmail.com> wrote:

> On Thu, May 14, 2015 at 9:05 PM, Karl DeSaulniers <k...@designdrumm.com> 
> wrote:
> Hello Everyone,
> Have a quick question. Was reading some material and wanted some Players 
> perspective.
> I know w3schools is not the de-facto on everything, so I wanted to know how 
> reliable is the information on this page.
> http://www.w3schools.com/sql/sql_injection.asp
> Namely the @ symbol before SQL Values and because this talks about SQL and 
> not MySQL specifically, does this not apply to MySQL?
> To my uneducated eyes it seems legit. Any clarification is greatly 
> appreciated.
> TIA,
> Best,
> Karl DeSaulniers
> Design Drumm
> http://designdrumm.com
> That is preferred in PHP as well. The SQL/MySQL isn't specifically doing the 
> replacement, but rather the driver object. Using parametrized queries:
> http://php.net/manual/en/pdo.prepared-statements.php  

Thank you Aziz,
Interesting link, thank you for that. I have not worked with prepared 
statements on my own, just in WordPress.

So the @ symbol is a preferred method even outside the SQL world because?

What specifically is the @ symbol doing? 

From what I read, and from what you just mentioned,
it's the PHP->SQL driver that check this @ symbol and treats the data as 
literal text?
Meaning it will not execute the text that comes after the @ symbol as code.



Karl DeSaulniers
Design Drumm

Reply via email to