top | item 43499813

(no title)

rsch | 11 months ago

PHP was blamed for a good reason: for a long time it did not by default support prepared SQL statements. You could install the mysqli extension to gain such support but that was almost never available on shared web hosts.

discuss

allset_|11 months ago

And every tutorial you could find on how to use PHP with a database was a tutorial on how to add SQL injection to your site.

girvo|11 months ago

That was the bigger problem, IMO, in that even once PDO existed and the MySQL extension was "fixed" to have prepared statements, so much of the documentation still did it wrong.

And yet similar classes of bugs still pops up today, even with what I would've assumed to be safe defaults? I'm guessing its non-standard databases or DB clients or something?

This case is more just a pure lack of sanitisation, but it's fascinating to see in 2025 still :)