Re: mysql_escape_string()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Saturday 10 April 2004 01:13, Chris Baechle wrote:

> As pointed out by rain forest puppy
>
> http://www.wiretrip.net/rfp/txt/phrack55.txt
>
> All metacharacters as defined by the w3c should be escaped for security
> reasons. Whether it be an sql query or shell command. 

Where does it mention "sql query"? The article is mostly talking about CGI 
programming using Perl with reference to the w3c www security faq. And the 
metacharacters talked about are shell metacharacters.

> Even if you don't
> think a particular metacharacter could be used for sql injection
> techniques, someone will come along and prove you wrong eventually.
>
> Mysql will properly interpret all w3c metacharacters when escaped.
> I suspect the mysql folks understood the need for it too.

But why do they say in the manual that only the backslash character, and the 
string quote character needs to be escaped?

-- 
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
------------------------------------------
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-db
------------------------------------------
/*
One advantage of talking to yourself is that you know at least somebody's
listening.
		-- Franklin P. Jones
*/

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux