buran Wrote:@Actually @buran your response shows that you are the one that is clueless passing a parameterized list (aka sting) inserting variables (that could be strings) is exactly the same as concatenating a string within a string and thus creates the same issue -- further the documentation you quote does not take into the fact that would only be the case if the data had not already been scrubbed prior to being passed to the database class -- which is how it ought to be handled -- meaning that by the time I get to the actual database where I am building the data I am guaranteed that the data has nothing in it that would be dangerous including things that would simply cause a query to choke without it being an actual injection attack. Further due to the lameness of this response I am going to guess I have far more years of experience under my belt in a professional capacity than you do.Denni, obviously you don't know what you are talking about. I don't care what you do in your code base, but don't confuse and mislead other users.
Still again since you seem to be rather slow on the pick up -- if you handle the data properly the threat of injection has already been dealt with long before you get to the where you create the database query because it has already been completely validated and scrubbed but if you are concerned that this is not the case then you add a validator/scrubber -- which by the way you cannot do using the methodology you are using but I can -- by simply passing the values into a validator/scrubber prior to concatenating them to the string query that is being built -- but then again I have already handled this long before I get to my actual database class as that kind of manipulation takes place in the controller
@Melford frustration is not okay if your object is to help someone as this frustration is most often due to the fact that the tutor is not communicating the information clearly as is the case with buran -- not only that he is instructing you improperly on how you ought to be doing this. Have you ever heard of MVC?
Also big note -- the only bad or stupid question is the unasked one if you are truly wanting to learn -- so always ask if you find your tutor is inadequate then find another one that can explain it to you -- but always be leery as not everyone knows how to code properly and they propagate a lot of misinformation because they have a false sense of superiority about themselves
If you would care to dial back a bit and look at my example you will find that it covers all the bits and pieces you need -- further it implements debugging prints to help you ascertain perhaps where something is being done not as you expect it would be done.