On Mon, Feb 22, 2010 at 5:02 PM, Slack-Moehrle <mailinglists@xxxxxxxxxxxxxxx> wrote: > John, > >>>Then if you use a MySQL database you would escape the string like this >>>$tmp = mysql_real_escape_string($_REQUEST['yyy']); > > >>>mysql_real_escape_string() protect from SQL injection by escaping your >>>string according to what your charset requires. > > Good point, I should be doing that. But only to String, not data stored in MySQL as Int or Date, etc. > > -ML Just to clarify, while you would not use mysql_real_escape_string() for datatypes other than strings, you still need to do filtering, validation, and sanity checking on other datatypes as well. As I pointed out in another thread recently, these are just as vulnerable to SQL injection even though the variable values are expected to be integers or dates: $sql = "SELECT `my_id`, `my_message` FROM `my_comments` WHERE `my_id` = $my_id"; $sql = "SELECT `post_id`, `post_text`, `post_date` FROM `blog_posts` WHERE `post_date` BETWEEN '$first_post_date' AND '$last_post_date'"; IMO mysql_real_escape_string() (or any similar function used for different db vendors) is just a method to escape sequences that have special meaning in a SQL query. It is the LAST step you should perform when processing input to be saved in a MySQL database (when parameterized queries are not available), after you have done everything you can to ensure that ALL the values being passed in the query are valid. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
