|
 |
Nicolas Alvarez <nic### [at] gmail isthebestcom> wrote:
> PHP too. Few people use prepared statements in PHP, they just
> concatenate strings into a SQL statement. And that's why PHP has such
> abominations as "magic quotes", to protect the developers against
> themselves, annoy to hell people who know what they're doing, and get
> backslashes all over your webpages.
Most PHP programmers who know about SQL injections and quote escaping
believe it's enough to make PHP escape those quotes, but most of them
are oblivious to another exploit which the quote escape usually doesn't
fix, namely cross-site scripting.
--
- Warp
Post a reply to this message
|
|
