Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Michael G
September 8, 2005, 2:52 pm
rate this thread
this adequate protection against SQL injection attacks?
I have read a number of archived posts plus I've read some of the info at
php.net. I am still not convinced as to what to do. The php folks claim that
using mysql_real_escape_string is all that is needed. Then on the other
hand, there is a myriad of opinions about that. I think I am inclined to
side with the php folks.
One thing that bothers me about the mysql_real_escape_string is that it
doesn't escape "--" which is a comment. One justification for this is that
it would have to be delimited with an " ' " before it would have any affect.
But I am not totally sure about that either.
Finally, what does the "real" mean in mysql_real_escape_string?
----== Posted via Newsfeeds.Com - Unlimited-Uncensored-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----
mysql_real_escape_string obeys the character set being used by the
system, which is always a better method.
Chris Shiflett* has a nice article about SQL injection and PHP over at:
[*] - Brief about Chris: http://shiflett.org/about
Justin Koivisto, ZCE - firstname.lastname@example.org