On Fri, November 3, 2006 5:30 am, Dotan Cohen wrote: > To all others who took part in this thread: I was unclear on another > point as well, the issue of sql-injection. As I'm removing the > symbols, signs, and other non-alpha characters from the query, I > expect it to be sql-injection proof. As I wrong? ie, could an attacker > successful inject sql if he has nothing but alpha characters at his > disposal? I think not, but I'd like to hear it from someone with more > experience than i. In Latin1, ISO-8891-1 or whatever, plain old not-quite-ASCII, yeah, you should be safe, I think... I'm making *no* promises if your DB is configured to accept some *other* character set, or the Bad Guy manages to trick it into thinking it should be using that charset. Why the big deal about just calling mysql_real_escape_string() on your data? Or using prepared statements and that ilk? Then you'd be 100% sure, and not worrying about it, eh? -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
