Re: Using mysql_real_escape_string without connecting to mysql

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 24/01/2008, Richard Lynch <ceo@xxxxxxxxx> wrote:> On Wed, January 23, 2008 4:04 pm, Dotan Cohen wrote:> > Is the "--" here not treated as the beginning of an SQL comment?>> No, because it is inside the apostrophes.>> The purpose of mysql_real_escape_string (or using prepared statements)> is to mark up (or separate) the DATA from the QUERY.>> The data about to be put into the database being escaped by> mysql_real_escape_string is sufficient to be sure nobody is playing> games with apostrophe followed by -- which could, in theory, insert an> SQL comment or allow them to execute arbitrary SQL code.
In that case, the function:
function clean_mysql ($dirty) {  $dirty=str_replace ("--", "", $dirty);  $dirty=str_replace (";", "", $dirty);  $clean=mysql_real_escape_string($dirty);  return $clean;}
Can be reduced to:
function clean_mysql ($dirty) {  $clean=mysql_real_escape_string($dirty);  return $clean;}
Which basically is the same as a simple mysql_real_escape_string? Inother words, mysql_real_escape_string itself is safe from SQLinjection?
Dotan Cohen
http://what-is-what.comhttp://gibberish.co.ilא-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת;
A: Because it messes up the order in which people normally read text.Q: Why is top-posting such a bad thing?

[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux