On Thu, January 24, 2008 10:01 am, Dotan Cohen wrote:
> On 24/01/2008, Jochem Maas <jochem@xxxxxxxxxxxxx> wrote:
>> > Which basically is the same as a simple mysql_real_escape_string?
>> In
>> > other words, mysql_real_escape_string itself is safe from SQL
>> > injection?
>>
>> not exactly - it assumes you will use the value as a quoted string
>> in a query.
>>
>> $s = clean_mysql("foo -- bar ; ' qux")
>> $q = "INSERT INTO foo (bar) VALUES ('$s')";
>
> Ah, we've gotten to the meat. So long as there as single quotes around
> the data that has gone through mysql_real_escape_string there is no
> danger of SQL injection? So this is safe:
> mysql_query("
> INSERT INTO
> foo (bar)
> VALUES (
> '".mysql_real_escape_string($evilString)."'
> )");
It is safe from SQL injection.
It is NOT safe from, say, XSS attack if $evilString contains an XSS
snippet and you re-display it on your site.
In other words, you should still filter the INPUT somewhere; But you
are escaping the output to MySQL so that it is not going to execute
arbitrary SQL on your DB server.
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/from/lynch
Yeah, I get a buck. So?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
