28
sudoguy
8y

So this is how they "teach" us in school...As a part time dev I was completely shocked when I saw this in our materials. What do you think? Should I drop the teachers tables to give him a lesson?

Comments
  • 6
  • 12
  • 4
    You should at the very least bring it up, that kind of code is a great way to get your job application thrown in the garbage bin.
  • 3
    If this is just an jntroductory lecture I don't see much problem.

    This will quickly demonstrate the concept behind the code and its relation with the DB.

    Otherwise, I totally agree. This is not code to be put out there in the wild
  • 0
    @fredrf can you please tell why the above code is wrong
  • 4
    @fredrf Even if it is an introductory lecture its a bad idea to teach students bad practices, Those students will get real jobs one day (The number of junior developers out there who are clueless is quite scary, and whats worse is that there is quite a large number of "senior" developers who are just as bad, that kind of code still makes it to production on a daily basis)
  • 0
    @ItsNotMyFault can u tell the correct code for this statement
  • 1
    @jayadev You have to use the function mysqli_real_escape_string
  • 0
    @xxmicloxx thank you
  • 0
    @ItsNotMyFault I totally agree with what you said.

    However, my point is: first you teach the basics, and then you build on it. If this is the only way the book/teacher expects you to query the DB, this is very very wrong!

    But if there are other areas that this is converted to PDO/escaped/etc then I see no problem
  • 2
    I am afraid, that this is everything we get because we are focused on automation and control (PLCs etc.) and this subject is only some "extra" knowledge we get. But I think even if it is something like that, we should focus more on security, because this code is suicide => better to never see something like this if we don't go deeper.
  • 0
    @sudoguy so, did you ever drop the table? I want an update if you did :P
  • 1
    @NathanDoesDev I'll see if I have balls to do it. I'll update ;)
  • 0
    @jayadev full explanation for why the code is bad:
    The data in the $_POST array comes from the user's computer. This code takes the data supplied by the user and sticks it directly into the SQL statement without checking to see if it will do anything bad. The right person could make their computer send any kind of data into that $_POST array, which could do any number of bad things as part of the SQL statement.
Add Comment