On Mon, February 11, 2008 9:27 am, Emil Edeholt wrote: > Thanks. Sure, I know how to escape and filter the input.. But since > not > all my sites use PDO yet, and I use some external code it would be a > good idea to also use an sql injection scanner. Scanning for SQL injection is like a "blacklist" approach -- always bound to be another injection you didn't think of. Validating the data and using mysql_real_escape_string is the "whitelist" approach -- You specifically require the data to be of the correct format, and you get MySQL to delimit it properly as DATA and not SQL CODE. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
