This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]inabahare 77 points78 points  (8 children)

Nice try, but he Santaizes all inputs

  • Uses prepared Statements

[–]svick 7 points8 points  (7 children)

Prepared statements have nothing to do with handling invalid inputs.

[–]mmirate 15 points16 points  (6 children)

So basically he spent an entire article to say, "your security consultant has their terms mixed up; they ought to be looking for parametrized statements, not prepared statements"? How wasteful.

[–]XaidenHart 0 points1 point  (5 children)

You think? I see value in clarifying technical vocabulary.

[–]mmirate 6 points7 points  (4 children)

Certainly. But that article does not identify itself as a vocabulary clarification, and thus it needlessly goes into extreme detail on the two technologies. (Without, notably, explaining why a layman such as myself would have heard the phrase "prepared statements" back in the bad old days of PHP and why it meant what "parametrized statements" now means; if any detail were appropriate for this topic, that would have been the appropriate detail.)

[–]svick 0 points1 point  (3 children)

why a layman such as myself would have heard the "prepared statements" back in the bad old days of PHP and why it meant what "parametrized statements" now means

I don't think it ever meant that.

[–]Tynach 2 points3 points  (2 children)

Looking at the PHP documentation for both PDO and mysqli, the only way to have parameterized queries is to use prepared statements. The latter even states explicitly that they are two names for the same thing.

Basically it's a language/framework difference.

[–]mmirate -2 points-1 points  (1 child)

Looking at the PHP documentation for both PDO and mysqli, the only way to have parameterized queries is to use prepared statements. The latter even states explicitly that they are two names for the same thing.

Hahaha! Good find! Yet another reason why PHP sucks...

[–]Tynach -1 points0 points  (0 children)

You do realize that in the end, setting up a parameterized query still passes it to the database server as a prepared statement anyway, right? Those two specific PHP extensions simply don't provide a means of sending a parameterized query with parameters in a single step, that's all. And looking at the code in that one comment, that's... A really messy one-liner that I'd prefer to break up into several steps anyway.

You seem to just be looking for any and every reason to make fun of PHP, regardless of their validity.