Hi, I was wondering if there’s any way to pass parameterized query in render_complex_sql or render_sql in PHP.
$select_statement = 'SELECT * FROM ’ . $sometable.
render_sql($select_statement, $id_field, $text_field);
The above query is clearly vulnerable if $sometable is directly taken from GET/POST request. Do we have a fix for this one?