SQL Injection and mysql_real_escape_string
View Single Post
05-01-2008, 02:52 PM
Join Date: Sep 2007
Originally Posted by
And in those instances, you use other methods. I wasn't suggesting that would clear up all the problems, the primary point of that was to say, don't trust one method. I sound like a broken record though, so I'm going to let it go after this. However, I will say, I can't think of a single instance where ' needs to be on the outside of a user inputted string.
I cant either, but one could come up. When it does months later, you will go around for a long time trying to figure out what is wrong with what you just wrote. It wont immediately hit you that the injection protection did it.
As you shouldnt trust one method, just do what the manual says (the mysql manual says use mysql_real_escape_string() and quotes). Unless you can say you know mysql better than the people who made it and test its security, dont make your own method. It will either be insecure or unnecessary. I know every time I try to make my own method for something like this, it ends up bad.
View Public Profile
Send a private message to Village Idiot
Find More Posts by Village Idiot