In article <33c6269f0510241421p2802061dhe79b3d99495b8087@xxxxxxxxxxxxxx>, Alex Turner <armtuk@xxxxxxxxx> writes: > delete * from user; > select * from table where my_id=$in_value > Am > I just smoking crack here, or does this approach have some merit? > The former :-) The correct defense against SQL injection is proper > escaping, not quoting. How about $in_value = '1''; delete from > user'? > This would be escaped by magic_quotes resulting in: > select * from table where my_id='\'1\'\'; delete from user \'', which would > result in an error, and a failed attack would it not, which would be a good > thing? If your "magic_quotes" are magic enough to not blindly surrounding the argument in quotes, but also escape dangerous chars like "'" inside the argument, then you're safe. > I tried to create this scenario, but in a trasactional environment, it > executes, but blew the transation so the data never committed as the select > query generated an error with the insert on the end... ... and that's exactly what it should do. You just need to catch the error and generate a meaningful error message. ---------------------------(end of broadcast)--------------------------- TIP 6: explain analyze is your friend
