Re: Re: Protecting MySQL Injection from PHP form

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On May 25, 2007, at 8:47 AM, Jochem Maas wrote:

check this, check that.

granted the OP posted quite a bit of irrelevant code with regard to
SQL injection protection. BUT his use of parameterized queries should protect against injection because MySQL knows what to do with the data (i.e. escape it), which only leaves the question as to whether the character encoding is correctly setup so that nothing funky can get through (although I believe an article by Chris Shiftlett pointed out a situation where even if you got everything right it was possible to do sql injection in some edge cases by submitting specific 'broken'
strings).


I apologize for posting the entire add script, but I wasn't sure what was needed to check if I was doing it right or not. I figured in this case it was better to give to much info rather then not enough. My big main goal it to make this bit of software as secure/safe as possible.

I will double check the character encoding, which would be done on the database correct?

Now if only I could get a check box to show up so I can delete multiple people at one time :) But I'm still learning about that.

Thanks for looking! I really appreciate it!

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux