Re: str_replace on words with an array

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 03/11/06, Richard Lynch <ceo@xxxxxxxxx> wrote:
On Fri, November 3, 2006 5:30 am, Dotan Cohen wrote:
> To all others who took part in this thread: I was unclear on another
> point as well, the issue of sql-injection. As I'm removing the
> symbols, signs, and other non-alpha characters from the query, I
> expect it to be sql-injection proof. As I wrong? ie, could an attacker
> successful inject sql if he has nothing but alpha characters at his
> disposal? I think not, but I'd like to hear it from someone with more
> experience than i.

In Latin1, ISO-8891-1 or whatever, plain old not-quite-ASCII, yeah,
you should be safe, I think...

I'm making *no* promises if your DB is configured to accept some
*other* character set, or the Bad Guy manages to trick it into
thinking it should be using that charset.

Yep, configured to accept UTF-8. Us Hebrew-speakers and our funny letters :)

Why the big deal about just calling mysql_real_escape_string() on your
data?

No biggie- I'm doing that too.

Or using prepared statements and that ilk?

Then you'd be 100% sure, and not worrying about it, eh?

Well, abstinence is not an option! I can't use prepared statements on
a full-text search.

Thanks, Richard. When is that Uranus office opening???? I've been
waiting almost five years!!

Dotan Cohen

nirot.com
http://what-is-what.com/what_is/ubuntu.html

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux