TalkPHP - View Single Post - SQL Injection and mysql_real_escape_string

delayedinsanity · 05-01-2008, 02:14 PM

I've read a lot on the various things that mysql_real_escape_string() catches that addslashes() doesn't, but I haven't come across anything specifying what it doesn't catch. That's not to say it doesn't, but it really shouldn't be your only line of defense anyways. Validate the data you're receiving before you use it! If somebody is entering a username into your login form, there's no reason they should be using special characters such as ' or - anyways. ~[A-Za-z0-9_]~ stops that dead before it even gets so far as being used in an SQL query, for example.

When you said prepared statements at first, I thought you were referring to MySQL :: Prepared Statements which is something I was inquiring about in another thread. Personally, I couldn't image doing what you suggest there, what if you had 20,000 users??
-m

05-01-2008, 02:14 PM	#2 (permalink)
delayedinsanity is cute and cuddly Join Date: Mar 2008 Location: Vegas, Baby Posts: 963 Thanks: 31	I've read a lot on the various things that mysql_real_escape_string() catches that addslashes() doesn't, but I haven't come across anything specifying what it doesn't catch. That's not to say it doesn't, but it really shouldn't be your only line of defense anyways. Validate the data you're receiving before you use it! If somebody is entering a username into your login form, there's no reason they should be using special characters such as ' or - anyways. ~[A-Za-z0-9_]~ stops that dead before it even gets so far as being used in an SQL query, for example. When you said prepared statements at first, I thought you were referring to MySQL :: Prepared Statements which is something I was inquiring about in another thread. Personally, I couldn't image doing what you suggest there, what if you had 20,000 users?? -m