On Mon, April 11, 2005 12:16 am, info@xxxxxxxxxxxxxx said: > I have a quick question: To use a custom solution for inhibiting sql > injection attacks and not a database specific solution like > mysql_real_escape_string() > > http://php.net/manual/en/function.mysql-real-escape-string.php > > ... that will run on any database, not just MySql, would the following be > a viable solution: > > a. addslashes() to all variables and > b. remove specific unwanted characters from input including: > > -- [comment sign in SQL] > ' [single quote] No. # is the comment sign in SQL No, wait, it's /* ... */ No, wait, there is no comment sign in SQL. Which database are you using? > It is possible to just destroy the unwanted characters in a login form and > prohibit use of those characters in username and password fields. That also can help, but you want some alphanumeric *AND* punctuation for good passwords. > Would a. plus b. above provide reasonably good protection to inhibit sql > injection attacks, or what is the best database independent approach using > php and not a database function? class PlatformIndependentDatabase () { var $platform; /* Constructor sets $platform to 'mysql', or 'pgsql' or 'sql-server' ... */ function escape_string ($string){ switch ($this->platform){ case 'mysql': return mysql_real_escape_string($string); break; case 'pgsql': return pg_real_escapge_string($string); break; default: error_log("$this->platform has NO escape string?!"); return $string; break; } } } Disclaimer: I don't use platform-independent db code, cuz I don't expect to switch any time, and I don't use objects, cuz I'm a solo author and can write better/faster code without them, so I likely have syntax errors in the above. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
