Re: Question re: sql injection
- From: shimmyshack <matt.farey@xxxxxxxxx>
- Date: Fri, 29 Jun 2007 04:14:32 -0700
On Jun 29, 9:47 am, Andrew Hutchings <i...@xxxxxxxxxxxx> wrote:
shimmyshack wrote:
On Jun 28, 10:28 pm, jb <jbri...@xxxxxxxxx> wrote:
does wrapping the string in double quotes somehow tell mysql to treat
the contents within as literal? Thus making it sql injection safe?
just use myql_real_escape_string throughout.
That won't cover things like unicode sql injection attacks for starters.
Prepared statements are much safer but you need mysqli on your PHP
installation (or a lot of voodoo with the standard mysql library).
--
Andrew Hutchings - LinuxJedi -http://www.linuxjedi.co.uk/
Windows is the path to the darkside...Windows leads to Blue Screen. Blue
Screen leads to downtime. Downtime leads to suffering...I sense much
Windows in you...
that's true, you do need to validate as well, didnt mean to suggest
that it is a magic bullet!
.
- References:
- Question re: sql injection
- From: jb
- Re: Question re: sql injection
- From: shimmyshack
- Re: Question re: sql injection
- From: Andrew Hutchings
- Question re: sql injection
- Prev by Date: Editable for only specific active directory user goup
- Next by Date: Re: Question re: sql injection
- Previous by thread: Re: Question re: sql injection
- Next by thread: Re: Question re: sql injection
- Index(es):
Relevant Pages
|
