On Saturday 10 April 2004 01:13, Chris Baechle wrote: > As pointed out by rain forest puppy > > http://www.wiretrip.net/rfp/txt/phrack55.txt > > All metacharacters as defined by the w3c should be escaped for security > reasons. Whether it be an sql query or shell command. Where does it mention "sql query"? The article is mostly talking about CGI programming using Perl with reference to the w3c www security faq. And the metacharacters talked about are shell metacharacters. > Even if you don't > think a particular metacharacter could be used for sql injection > techniques, someone will come along and prove you wrong eventually. > > Mysql will properly interpret all w3c metacharacters when escaped. > I suspect the mysql folks understood the need for it too. But why do they say in the manual that only the backslash character, and the string quote character needs to be escaped? -- Jason Wong -> Gremlins Associates -> www.gremlins.biz Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development * ------------------------------------------ Search the list archives before you post http://marc.theaimsgroup.com/?l=php-db ------------------------------------------ /* One advantage of talking to yourself is that you know at least somebody's listening. -- Franklin P. Jones */ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php