TalkPHP - View Single Post - SQL Injection and mysql_real_escape_string

delayedinsanity · 05-01-2008, 02:44 PM

You can also circumvent the basic sql injections where somebody tries

' OR username=admin --

simply with trim($szUsername, " '-"). Or preg_match("~[A-Za-z0-9_]~", $szString), or... as I said above, the best way, imo, is to not trust just one method of sanitization or validation. Verify that information.
-m

05-01-2008, 02:44 PM	#7 (permalink)
delayedinsanity is cute and cuddly Join Date: Mar 2008 Location: Vegas, Baby Posts: 963 Thanks: 31	You can also circumvent the basic sql injections where somebody tries `' OR username=admin --` simply with trim($szUsername, " '-"). Or preg_match("~[A-Za-z0-9_]~", $szString), or... as I said above, the best way, imo, is to not trust just one method of sanitization or validation. Verify that information. -m