Quote:
Originally Posted by FoxtrotAlpha
That sounds horrific haha. I'd be in the same situation if I accepted the job I mentioned.
I blame all these freelancer websites (e.g. freelancer.com) since people often go for the cheapest person/team which then turns out to be a bunch of inexperienced programmers. At least you're getting paid hourly, because that'll take many, many hours by the sound of it :p
I don't think there's any reason to not use PDO or MySQLi these days, considering you can just prepare the statements and have input automatically sanitised, or even bind variables to simplify the logic.
Good luck with it, though, your client should be extremely happy once you're done, considering anything would be better than it is now.
|
We're slowly getting there. I was just totally surprised when I saw $_GET going into a variable and then direct into the database without any type of sanitizing at all. I ran my vuln scanner (webvulscan and Acunetix) against it and almost fell out of my chair. Now I can hold up my head and say "How many vulns? 0". It's helpful having those tools at your disposal while coding.