SQL Injection and mysql_real_escape_string
View Single Post
05-01-2008, 02:46 PM
Join Date: Sep 2007
Originally Posted by
You can also circumvent the basic sql injections where somebody tries
' OR username=admin --
simply with trim($szUsername, " '-"). Or preg_match("~[A-Za-z0-9_]~", $szString), or... as I said above, the best way, imo, is to not trust just one method of sanitization or validation. Verify that information.
There are sometimes valid uses for those letters. You don't want a security method that hurts usability.
View Public Profile
Send a private message to Village Idiot
Find More Posts by Village Idiot