Sorry but escaping doesnt protect against mysql injection either, it is not
a good answer, nor does it really work, its an effort, yes, buuut in unicode
world we pretty much have the ability to override what it means to be a
character through best guess matching, etc, iiit just doesnt quite work;
either pass data and code on different paths (i.e. prepared statement) or
set up a b64encrypt and decrypt modules in mysql, and wrap your vars in that
(i.e. "select * from somewhere were `foo`=b64d('".{$b64_foo}."') ... etc")
Please refer any question about why it escaping doesnt work to a talk that
Dan Kaminsky gave at the HOPE conference, i'd rather not have to restate,
and it's an excellent talk...
On Aug 9, 2011 4:21 PM, "Ashley Sheridan" <ash@xxxxxxxxxxxxxxxxxxxx> wrote:
>
>
> David Green <simpill@xxxxxxxxx> wrote:
>
>>Thank you all for the various suggestions.
>>
>>It now works with this:
>>
>>$find = strip_tags($find);
>>$find = trim($find);
>>
>>$data = mysql_query("SELECT * FROM news_items WHERE headline LIKE
>>'%$find%'");
>>
>>Another "newb" question: does strip_tags() help at all in preventing
>>SQL
>>injection attacks?
>>
>>Kind regards
>>David
>
> strip_tags() doesn't prevent against sql injection. At best, it can
protect slightly against xss attacks. Use mysql_real_escape_string() for sql
injection.
>
> Thanks,
> Ash
> http://www.ashleysheridan.co.uk
> --
> Sent from my Android phone with K-9 Mail. Please excuse my brevity.
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
