Seems to be they’re dropping the passwords in the database in plain text, but they’re deathly afraid that someone will drop a '; in there or something and the insert will break.
Notwithstanding that storing passwords in plain text is a slapping with the 10 foot rubber chicken, but mysqli_real_escape_string() or any number of other similar solutions are indeed a thing that exists. A prepared statement would work, too.
but mysqli_real_escape_string() or any number of other similar solutions are indeed a thing that exists. A prepared statement would work, too.
You make it sound as if a prepared statement is a last resort. I would turn that around: as a rule always use prepared statements when dealing with user input. It’s very easy to forget a single call to mysqli_real_escape_string().
I was thinking more along the lines of the types of laziness/ineptitude most likely present at wherever OP’s example were being written. Escape string is one line of code for this whereas preparing a statement is like five.
But really they should just be hashing it. Then the input doesn’t matter.
Seems to be they’re dropping the passwords in the database in plain text, but they’re deathly afraid that someone will drop a '; in there or something and the insert will break.
Notwithstanding that storing passwords in plain text is a slapping with the 10 foot rubber chicken, but mysqli_real_escape_string() or any number of other similar solutions are indeed a thing that exists. A prepared statement would work, too.
You make it sound as if a prepared statement is a last resort. I would turn that around: as a rule always use prepared statements when dealing with user input. It’s very easy to forget a single call to
mysqli_real_escape_string().I was thinking more along the lines of the types of laziness/ineptitude most likely present at wherever OP’s example were being written. Escape string is one line of code for this whereas preparing a statement is like five.
But really they should just be hashing it. Then the input doesn’t matter.