On Oct 30, 2006, at 1:10 PM, Dotan Cohen wrote:
On 30/10/06, Stut <stuttle@xxxxxxxxx> wrote:
Ed Lazor wrote:
> It looks like you guys are coming up with some cool solutions,
but I
> have a question. Wasn't the original purpose of this thread to
> prevent sql injection attacks in input from user forms? If so,
> wouldn't mysql_real_escape_string be an easier solution?
Me thinkie nottie. From the OP...
"I need to remove the noise words from a search string."
Yes, that is also part of the aim.
How come? Not trying to be facetious here. I'm just wondering if
you see a benefit that I don't. For example, say the hacker injects
some sql and you use mysql_real_escape_string. You end up with
something like this... actually, I'll do one step further and just
use the quote_smart function described in the
mysql_real_escape_string page of the php manual:
$query = sprintf("SELECT * FROM users WHERE user=%s AND password=%s",
quote_smart($_POST['username']),
quote_smart($_POST['password']) );
Say the user tried to inject sql in $_POST['username'] and it looked
something like: root';drop all;
Having used quote_smart, the value of $query ends up
SELECT * FROM users WHERE user='root\'\;drop all\;' AND
password='something'
The sql injection fails. The data is seen as a literal. The
database is going to think there's no user with that name. That
means that even if the user did include extra words, they're just
part of the value that is checked against user names - rather than
being see as potential commands.
I'm not sure if I'm describing this well, so let me know what you
think and I'll go from there.
-Ed
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
