top | item 35015782

(no title)

nezirus | 3 years ago

That is exactly the point, you should not use general string templating system for SQL queries, together with "roll your own" escape and validation mechanisms. I really don't see why they included that part, if not to show how to shoot yourself in the foot.

discuss

imtringued|3 years ago

I am very confused by your comments. PHP developers thought "sanitizing" strings aka escaping and validating strings is enough to get rid of SQL injections and that is how they ended up with multiple iterations of escaping functions. The problem, which is the separation of code from data, has not been solved and that is why it is a bad idea. The SQL example template in the article uses positional parameters via JDBC and is therefore completely safe to use. It is impossible to get it wrong except by using STR which is obviously the wrong template processor.

bcrosby95|3 years ago

There is no roll your own escape mechanics. The example uses prepared statements.