> SQL injection is not avoided by escaping arguments, but by never mixing the command and user supplied arguments in the first place.
People see:
execute("select * from table where id = ?", id);
as for the most part like:
execute(sprintf("select * from table where id = '%s'", escape(id)));
Where `escape()` is written by "smarter people" and makes sure that `id` isn't a string like this:
0'; delete all from user;'
(e.g. turning it into `0''; delete all from user;''`). I realize that this isn't what actually happens, but the general idea is that you are sanitizing your inputs.
can we stop with this please? I'm sure it's not your intention and it's the way it's always phrased but it's casual contempt and we deserve to treat each other and be treated better.
"escape() is written by someone who spent the large amount of time analysing all the issues, testing, taking and incorporating feedback so the rest of us, who are both smart and competent, don't have to duplicate the work.
People see:
as for the most part like: Where `escape()` is written by "smarter people" and makes sure that `id` isn't a string like this: (e.g. turning it into `0''; delete all from user;''`). I realize that this isn't what actually happens, but the general idea is that you are sanitizing your inputs.