Yes, but you had better be 100% sure that your escaping function is completely r... | Hacker News

Hacker Timesnew | past | comments | ask | show | jobs | submit

		mnw21cam on May 7, 2014 \| parent \| context \| favorite \| on: When a bad day gets worse – getting hacked twice i... Yes, but you had better be 100% sure that your escaping function is completely reliable, and the server hasn't introduced some new syntax since you wrote it that you aren't escaping properly. I would trust parameters much more (although I have used proper escaping in the past).

throwaway0010 on May 7, 2014 [–]

A few popular database drivers use escaping under the hood for parameterized query arguments. mysql2 ruby gem (and any rails stack on top of it) for example.

astrodust on May 7, 2014 | [–]

They probably do a better job of it than you do, so let them handle it.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact