On Tue, May 27, 2014 at 10:01 AM, Doran Barton <[email protected]> wrote:
> Don't use PHP. ;-)
>
I know you probably meant this to be tongue-in-cheek, but this problem
isn't specific to PHP. It's just as easy to write bad SQL statements in
Perl or Python or any other language that interacts with a database.
In my code, I use parameterized queries and avoid hand-written queries
wherever possible. Yes, that probably means you have to learn to use a
database abstraction layer (and please, for the sake of all that is good in
the world, don't write your own!) and write statements that look like this:
$stmt = $db->prepare("SELECT * FROM table WHERE id=:id AND
name=:name");$stmt->bindValue(':id', $id,
PDO::PARAM_INT);$stmt->bindValue(':name', $name,
PDO::PARAM_STR);$stmt->execute();
Yes, it's slightly more complicated than just hand-coding your SQL queries.
But in the end, you'll save yourself a lot of pain.
--
Jared Smith
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
