>>4
How is saying ``LOL U GET SHIT DONE'' a sign of intellect? It's the standard excuse for Java monkeys to not use better languages, second only to ``use the right tool for right job''.
Of course >>2 said something completely different from that, but you do look like one of those that likes to ````get the shit done''''.
>>8
i don't know why people tend to write long articles about this issue. mysql_real_escape_string() to all parameters you pass in is all there is to it.
>>10
Because mysql_real_escape_string is subject to the same multibyte character problems as PHP's built-in function addslashes under the right circumstances.
Even Xarn uses shitty Wordpress for his blog. It's not ideal, of course, but Web development is never something that's an ideal thing to be working with, anyway. As long as your code isn't complete horrid shit that's prone to SQL injection exploits (PHP is notorious for this, but it can be dealt with even in PHP), then you shouldn't have too much to worry about.
>>12
Well, they do actually support prepared statements.
Though just saying it like that might be a bit nice to them, in that it sounds like the language might actually have one well-thought out, useful feature that doesn't encourage buggy, unmaintainable code by design.
Well, perish the thought. See if you can spot the amazingly retarded API design in the following snippet from their manual pages: $stmt = $mysqli->prepare("INSERT INTO CountryLanguage VALUES (?, ?, ?, ?)");
$stmt->bind_param('sssd', $code, $language, $official, $percent);