[CentOS] C5 MySQL injection attack ("Union Select")

Thu Mar 24 17:42:27 UTC 2016
Gordon Messmer <gordon.messmer at gmail.com>

On 03/24/2016 10:13 AM, Always Learning wrote:
> I have never (not once) used non-prepared SQL statements, nor string
> concatenation, nor sprintf.

Perfect!

> mysql_real_escape_string() is useful for storing in tables words with
> apostrophes.

You shouldn't need to escape anything if you're using prepared statements.