ugrás a tartalomhoz

The addslashes() Versus mysql_real_escape_string() Debate

Török Gábor · 2006. Jan. 23. (H), 08.24
Példa SQL befecskendezésre


Kelemen Zádor · 2006. Jan. 23. (H), 18.18
Andi Gutmans writes:

"My main advice to people is to always use prepared statements and then bind your parameters. Even if you are not planning to reuse the prepared statement, and won't get any performance benefit from doing so, it will prevent your apps from being attached using SQL injections because parameters are bound after the statement is compiled.
People just shouldn't be using anything else!"