I know the PHP/PDO way to do it, is prepared statements. I'm not able to see why... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		readme on Aug 5, 2013 \| parent \| context \| favorite \| on: SQL Injection Galore I know the PHP/PDO way to do it, is prepared statements. I'm not able to see why the parent's suggestion to just escape the strings is not a valid solution from a security perspective.

orf on Aug 5, 2013 | | [–]

because you also have integer based SQL injection. Escaping strings isn't a complete fix.

user24 on Aug 5, 2013 | | [–]

Yep. In fact the typical SQL injection example is " 0 OR 1=1 ".

anoncow on Aug 5, 2013 | [–]

>that's less secure than prepared statements, and may break some things (eg if the code is relying on certain things not being escaped, etc)

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact