10
olback
7y

If you don't know how to do it the proper way, just throw something together. :D
Might not be pretty, but it works... (only took about 3 hours)

Comments
  • 5
    Oh god... There's just... So much wrong here o.O
  • 0
    @Zaphod65 haha feel free to reply wiht the correct solution
  • 0
    @olback You haven't assigned the apikey variable in there, at least not in the image. Why not wrap all of the $sql variable in double quotes?
  • 4
    Never.
    Ever.
    Ever.
    Ever.
    Construct.
    SQL.
    Manually.

    Ever.
  • 1
    LOL wtf is this ? I am sorry but I am calling the police 👮
  • 3
    This is how "sql injection" happens ;-)
  • 0
    Yuk. How do I -- the code without -- the rant?
  • 3
    Try to learn about prepared queries, and the PDO class in PHP.
  • 2
    First of all, you should use prepared statements with PDO (have a look here: https://phpdelusions.net/pdo)

    If you can't use PDO (and you should only do this in that case!), for the love of Linus Torvalds, at least use the http://php.net/manual/en/... function!

    But as I said, if possible use PDO! If it's a bigger project, something like http://www.doctrine-project.org might be appropriate. If you just want to learn how to write queries, it's an overkill, but for a large project, use it.
  • 1
    For the ppl saying sql injection, i escape string, you just can't see it in this picture.
  • 4
  • 0
    He he... Atom....

    Use http://medoo.in/
  • 3
    @olback
    I'm not questioning your ability, and escaping them correctly isn't the issue. It's the practice of doing it in the first place.

    It's so easy to make a mistake, and often so difficult to see it -- especially on large, complex queries with lots of interpolation or conditionals. Eventually, on some project in the future, you'll have an injection problem and your database may get compromised.

    If you use an orm, solid query builder, prepared statements, etc. this never happens.
Add Comment