TalkPHP - View Single Post - SQL Injection and mysql_real_escape_string

delayedinsanity · 05-03-2008, 07:55 PM

I was avoiding this, but c'mon. He's presented a lot more thorough reasoning than you have - to date all you've said, summed up, is "my method works fine. I don't need yours.". Which btw, after looking at your code sample (which I might add is 95% just Smarty, you may want to make a note of that so unsuspecting clients don't assume that it's your work), it seems the only thing you do is check if a variable isn't numeric, and if so, you mysql_real_escape_string() it. If that's the extent of your validation/sanitization and security, that's pretty flimsy.
-m

05-03-2008, 07:55 PM	#31 (permalink)
delayedinsanity is cute and cuddly Join Date: Mar 2008 Location: Vegas, Baby Posts: 963 Thanks: 31	I was avoiding this, but c'mon. He's presented a lot more thorough reasoning than you have - to date all you've said, summed up, is "my method works fine. I don't need yours.". Which btw, after looking at your code sample (which I might add is 95% just Smarty, you may want to make a note of that so unsuspecting clients don't assume that it's your work), it seems the only thing you do is check if a variable isn't numeric, and if so, you mysql_real_escape_string() it. If that's the extent of your validation/sanitization and security, that's pretty flimsy. -m