I’m not sure what else you’d call this besides an open invitation to face roll your database. How many times have we discussed SQL injection here at CSI: PHP? I guess we’ll have to discuss it a lot more.
“Read this today on a developer thread. I was horrified, but then I realized he was working on his local machine – so no issue there1. But, then I read the rest of his email/question, and in his signature, it said “Senior PHP Developer.” NNNOOOOOO”
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
This is a straight education problem. My suspicion is this “Senior” dev is the only dev, has worked solo for many years, reads very little, and has no contact with the PHP community. I wish there was a good way to reach out to those devs, show them the error of their ways, and teach them the right way. Ah, but I digress from my usual cynical snark.
WAT A BIG DUMMY.
With that out of the way, the right way to refactor the snippet above is to 1) use PDO and 2) use prepared statements. Show us how it’s done, PHP: The Right Way.
1. I respectfully disagree with the contention that bad practices are acceptable in local environments. “Practice like you’ll play” is one of my favorite quotes. In this context it means that you should write every line of code as if it’s going into production. Best practices are best practices everywhere.