On Thu, 2016-03-24 at 09:18 -0700, Gordon Messmer wrote:
On 03/24/2016 07:57 AM, Always Learning wrote:
I should have imposed strict controls on the length of parameters passed to programmes via web pages $_GET[] such as... and reject any incoming string containing ' or " in addition to PHP's strip_tags and (deprecated in later versions) mysql_real_escape_string($_GET['....'],$link);
No. No. Nooooooooo.
You're missing the point that everyone is trying to communicate to you. Do not use string concatenation. Do not use sprintf. Do not use mysql_real_escape_string().
I have never (not once) used non-prepared SQL statements, nor string concatenation, nor sprintf.
mysql_real_escape_string() is useful for storing in tables words with apostrophes.