On 03/11/06, Richard Lynch <ceo@xxxxxxxxx> wrote:
On Fri, November 3, 2006 5:30 am, Dotan Cohen wrote: > To all others who took part in this thread: I was unclear on another > point as well, the issue of sql-injection. As I'm removing the > symbols, signs, and other non-alpha characters from the query, I > expect it to be sql-injection proof. As I wrong? ie, could an attacker > successful inject sql if he has nothing but alpha characters at his > disposal? I think not, but I'd like to hear it from someone with more > experience than i. In Latin1, ISO-8891-1 or whatever, plain old not-quite-ASCII, yeah, you should be safe, I think... I'm making *no* promises if your DB is configured to accept some *other* character set, or the Bad Guy manages to trick it into thinking it should be using that charset.
Yep, configured to accept UTF-8. Us Hebrew-speakers and our funny letters :)
Why the big deal about just calling mysql_real_escape_string() on your data?
No biggie- I'm doing that too.
Or using prepared statements and that ilk? Then you'd be 100% sure, and not worrying about it, eh?
Well, abstinence is not an option! I can't use prepared statements on a full-text search. Thanks, Richard. When is that Uranus office opening???? I've been waiting almost five years!! Dotan Cohen nirot.com http://what-is-what.com/what_is/ubuntu.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
