TalkPHP - View Single Post - SQL Injection and mysql_real_escape_string

Village Idiot · 05-01-2008, 02:35 PM

Valid injection is an issue, wildhoney uses sprintf to secure it form that. I find the best way it to wrap all values in single quotes and table names, ect. in `. For instance
"SELECT * FROM user WHERE id = $id"
Would be
"SELECT * FROM `user` WHERE `id` = '$id'"

That way, even if $id = "99999 OR id > 0"; it wont inject anything.

Dont use stripslashes, there are valid uses for slashes and that would simply remove them all.

05-01-2008, 02:35 PM	#4 (permalink)
Village Idiot Wizard Join Date: Sep 2007 Posts: 1,299 Thanks: 17	Valid injection is an issue, wildhoney uses sprintf to secure it form that. I find the best way it to wrap all values in single quotes and table names, ect. in `. For instance "SELECT * FROM user WHERE id = $id" Would be "SELECT * FROM `user` WHERE `id` = '$id'" That way, even if $id = "99999 OR id > 0"; it wont inject anything. Dont use stripslashes, there are valid uses for slashes and that would simply remove them all. __________________