[prog] Placeholders (was MySQL connections from PHP files...)

[Gareth Anderson]

I'm sorry I still don't get placeholders, I understand that its
something your simply substituting and thats good for speed.

But I don't get how it saves you from mySQL injections.

"
  function search_entry($id) {
             /* Error checking? etc */

             $search = "SELECT title, author, date ...
                        FROM entries
                        WHERE id = ?";

             $sth = $db->prepare($search);
             $sth->bind_param("s", $id);
             $sth->execute();

             ...

             return $results;
        }
"

How does placeholders help here?
Couldn't you just do an SQL injection attack?
What if we submitted the id as: ' OR '' = '
Wouldn't that return all users in the database with any ID?


Could you show me a more complicated example, like using a username/password?

$allow = "SELECT * FROM users
                WHERE username=? and password=?;

Would that be valid for a string we're going to perform the bind on?

And yes I was using mysql_connect() simply because I didn't know any better.

Sorry, I'm very confused today :(

Regards,
Gareth