Hacker News new | past | comments | ask | show | jobs | submit login

Almost every single native RDBMS API provides parameterized queries / prepared statements where the parameters are sent separately from the query text. Here's one from MySQL:

https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-bind-para...

String escapes should have been dead a few decades ago -- I don't think any modern platform requires it; they all support parameterized queries natively.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: