RES: SQL injection - mysql_real_escape_string()?
|[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]|
Hi, If you are specially paranoid, you can use prepared statements (only mysqli). If you are even more paranoid, you can use views and stored procedures and never let the user access (directly) the tables of your database. Never forget that $_GET functions can carry injections when you make some queries like "SELECT [...] WHERE id='" . $_GET["id"] . "'". You can even change from the default $_GET and $_POST to another function where you can check every input. There are a lot of things that can be done, so, I suggest you to read this: The Ten Most Critical Web Application Security Risks - http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf Best regards, Jean Rafael Tardem Delefrati -----Mensagem original----- De: Jacob Kruger [mailto:jacobk@xxxxxxxxxxxxxx] Enviada em: quarta-feira, 15 de fevereiro de 2012 11:56 Para: php-windows@xxxxxxxxxxxxx Assunto: Re: SQL injection - mysql_real_escape_string()? Ok, while did find some tutorial material on mysqli, etc., neither my wamp installation, or my online hosting server seem to support it at all, but anyway. Stay well Jacob Kruger Blind Biker Skype: BlindZA '...fate had broken his body, but not his spirit...' ----- Original Message ----- From: "Jacob Kruger" <jacobk@xxxxxxxxxxxxxx> To: <php-windows@xxxxxxxxxxxxx> Sent: Monday, February 13, 2012 7:38 AM Subject: SQL injection - mysql_real_escape_string()? Just wondering if anyone else specifically does more than using mysql_real_escape_string function to check freely entered text values before processing queries to a mysql database as such? Stay well Jacob Kruger Blind Biker Skype: BlindZA '...fate had broken his body, but not his spirit...' -- PHP Windows Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Windows Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php