SQL Injection and mysql_real_escape_string
View Single Post
05-01-2008, 02:14 PM
is cute and cuddly
Join Date: Mar 2008
Location: Vegas, Baby
I've read a lot on the various things that mysql_real_escape_string() catches that addslashes() doesn't, but I haven't come across anything specifying what it doesn't catch. That's not to say it doesn't, but it really shouldn't be your only line of defense anyways. Validate the data you're receiving before you use it! If somebody is entering a username into your login form, there's no reason they should be using special characters such as ' or - anyways. ~[A-Za-z0-9_]~ stops that dead before it even gets so far as being used in an SQL query, for example.
When you said prepared statements at first, I thought you were referring to
MySQL :: Prepared Statements
which is something I was inquiring about in another thread. Personally, I couldn't image doing what you suggest there, what if you had 20,000 users??
View Public Profile
Send a private message to delayedinsanity
Visit delayedinsanity's homepage!
Find More Posts by delayedinsanity