mysql_real_escape_string is by far better than a simple regex. The post on stackoverflow is a bit misleading. Select * from table where id = 1 or true Would select all, yes. One should always put the value into single quotes. That way the "attack " from the stackoverflow post isn't possible at all. Strings in sql can also be used when the value is a non string type like integer. The above query would become select * from table where id = '1 or true' Now there is no injection possible because ' is illegal. Select * from table where id = '1' Will still work as expected. However, parameterized queries simplify injection prevention and if possible should be preferred. Knowing that any value can be forced to be literal with single quotes is probably the most useful piece of information here. On Fri, Jul 22, 2016, 09:08 Ashley Sheridan <ash@xxxxxxxxxxxxxxxxxxxx> wrote: > On Thu, 2016-07-21 at 23:04 -0400, Omega -1911 wrote: > > On Thu, Jul 21, 2016 at 9:50 PM, Aziz Saleh <azizsaleh@xxxxxxxxx> wrote: > > > > > Prepared statements have nothing to do with htmlentities (probably > since > > > its an old code it was doing it wrong, should have been using > > > mysql_real_escape_string). > > > > > > > > That is NOT true. To rely on mysql_real_escape_string still leaves an > open > > window to attack: > > > http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string > > > > A simple regex (or so) to only allow approved characters would be better > > practice. > > That would NOT be a better practice, as your regex would need to be > unnecessarily complicated for all the characters you want to allow (and > what about poor old Patrick O'Leary who you just prevented entry to your > form because they have an apostrophe in their name that you forgot to > include? > > https://www.kalzumeus.com/2010/06/17/falsehoods-programmers-believe-about-names/ > ) > > Use prepared statements with PDO, they will protect you to the level you > want. At this point anything is better than the mysql_* functions you > appear to be using. > > htmlentities() is only for presentation to a browser when the content is > HTML. It's very bad practice to use this on content before entering it > into a DB, as that's modifying the content in a way that can't be easily > undone (e.g. if the content already legitimately had encoded HTML in > there.) > > Thanks, > Ash > > http://www.ashleysheridan.co.uk > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > >
