Re: Using mysql_real_escape_string without connecting to mysql

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 24/01/2008, Jochem Maas <jochem@xxxxxxxxxxxxx> wrote:> > Which basically is the same as a simple mysql_real_escape_string? In> > other words, mysql_real_escape_string itself is safe from SQL> > injection?>> not exactly - it assumes you will use the value as a quoted string in a query.>> $s = clean_mysql("foo -- bar ; ' qux")> $q = "INSERT INTO foo (bar) VALUES ('$s')";
Ah, we've gotten to the meat. So long as there as single quotes aroundthe data that has gone through mysql_real_escape_string there is nodanger of SQL injection? So this is safe:mysql_query("    INSERT INTO        foo (bar)    VALUES (        '".mysql_real_escape_string($evilString)."')");
Dotan Cohen
http://what-is-what.comhttp://gibberish.co.ilא-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת;
A: Because it messes up the order in which people normally read text.Q: Why is top-posting such a bad thing?

[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux