Skip to main content

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

Required fields*

13
  • It makes me wonder why everyone who rants about parameterized queries, never brings an example with them. May be it's because the code would be more complex and messy with no real benefits? Commented Mar 14, 2011 at 22:09
  • he didn't mean literal %27 but an apostrophe coming from query string. Commented Mar 14, 2011 at 22:10
  • Sure, but in PHP you got either an apostrof that is escaped by mysql_real_escape_string or you got the literal text %27 which apparently doesn't need to be escaped. So why the downvote? Point is you can't inject SQL this way. The question suggested that an url-escaped quote would pass mysql_real_escape_string and would cause trouble in the SQL statement. But it won't unless you're using it in a LIKE. :p Commented Mar 14, 2011 at 22:25
  • 1
    it's just empty blab again and no working example. That's what I am talking about Commented Mar 14, 2011 at 23:09
  • 2
    The only one who's ranting is you. I already explained about the nuances of the 'better performance' statement, but could you please tell us why they are not more secure? The only thing you've essentially said is "No, not true", but without explanation, motivation or example. I've taken the effort to take my code, translate it and put it online. You can take a look at a real life example here: www.eftelist.nl. Now please come with a useful reply or just sod off and go compile yourself. Commented Mar 15, 2011 at 7:35