Re: C5 MySQL injection attack ("Union Select")

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On Thu, 2016-03-24 at 09:18 -0700, Gordon Messmer wrote:

> On 03/24/2016 07:57 AM, Always Learning wrote:
> > I should have imposed strict controls on the length of
> > parameters passed to programmes via web pages $_GET[] such as...
> > and reject any incoming string containing ' or " in addition to PHP's
> > strip_tags and (deprecated in later versions)
> > mysql_real_escape_string($_GET['....'],$link);
> 
> No.  No.  Nooooooooo.
> 
> You're missing the point that everyone is trying to communicate to you.  
> Do not use string concatenation.  Do not use sprintf.  Do not use 
> mysql_real_escape_string().

I have never (not once) used non-prepared SQL statements, nor string
concatenation, nor sprintf.

mysql_real_escape_string() is useful for storing in tables words with
apostrophes.


-- 
Regards,

Paul.
England, EU.      England's place is in the European Union.

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux