SQL Injection and mysql_real_escape_string
View Single Post
05-01-2008, 02:35 PM
Join Date: Sep 2007
Valid injection is an issue, wildhoney uses sprintf to secure it form that. I find the best way it to wrap all values in single quotes and table names, ect. in `. For instance
"SELECT * FROM user WHERE id = $id"
"SELECT * FROM `user` WHERE `id` = '$id'"
That way, even if $id = "99999 OR id > 0"; it wont inject anything.
Dont use stripslashes, there are valid uses for slashes and that would simply remove them all.
View Public Profile
Send a private message to Village Idiot
Find More Posts by Village Idiot