Re: Question re: sql injection
- From: Andrew Hutchings <info@xxxxxxxxxxxx>
- Date: Fri, 29 Jun 2007 16:31:21 GMT
Jerry Stuckle wrote:
Andrew Hutchings wrote:shimmyshack wrote:On Jun 28, 10:28 pm, jb <jbri...@xxxxxxxxx> wrote:does wrapping the string in double quotes somehow tell mysql to treat
the contents within as literal? Thus making it sql injection safe?
just use myql_real_escape_string throughout.
That won't cover things like unicode sql injection attacks for starters. Prepared statements are much safer but you need mysqli on your PHP installation (or a lot of voodoo with the standard mysql library).
Actually, it will. mysql_real_escape_string is charset dependent. If you're using one of the unicode charsets in your table, mysql_real_escape_string will handle it. And if you're not using unicode, the injection won't work, anyway.
No, if your not using unicode a certain malformed unicode character can cause an apostrophe which then can lead to injection (I forget what the code is off the top of my head). Last time I checked mysql_real_escape_string did not protect against this.
--
Andrew Hutchings - LinuxJedi - http://www.linuxjedi.co.uk/
Windows is the path to the darkside...Windows leads to Blue Screen. Blue Screen leads to downtime. Downtime leads to suffering...I sense much Windows in you...
.
- Follow-Ups:
- Re: Question re: sql injection
- From: Jerry Stuckle
- Re: Question re: sql injection
- References:
- Question re: sql injection
- From: jb
- Re: Question re: sql injection
- From: shimmyshack
- Re: Question re: sql injection
- From: Andrew Hutchings
- Re: Question re: sql injection
- From: Jerry Stuckle
- Question re: sql injection
- Prev by Date: Re: resize image and memory limits
- Next by Date: isset(), undefined variables, and null
- Previous by thread: Re: Question re: sql injection
- Next by thread: Re: Question re: sql injection
- Index(es):
Relevant Pages
|
