SQL Injection and mysql_real_escape_string
View Single Post
05-03-2008, 08:11 PM
Join Date: Sep 2007
Originally Posted by
I was avoiding this, but c'mon. He's presented a lot more thorough reasoning than you have - to date all you've said, summed up, is "my method works fine. I don't need yours.". Which btw, after looking at your code sample (which I might add is 95% just Smarty, you may want to make a note of that so unsuspecting clients don't assume that it's your work), it seems the
thing you do is check if a variable isn't numeric, and if so, you mysql_real_escape_string() it. If that's the extent of your validation/sanitization and security, that's pretty flimsy.
I have provided far more than that, I have provided my method of validation and clearly walked you though my process. All highway has posted is I am wrong, without a single piece of evidence. Also, that is not all I do, I put everything between single quotes, meaning
When this is done with my previous processes, it is just as secure as typecasting!
Is anyone even reading my posts? I am not saying there is no use for typecasting, there are specific uses where it may be necessary, but it is not a basic of security type thing. There is a reason highway didn't show me an example of injection on any of my clients sites, because he can't. Am I the only one that finds it funny that you are saying my scripts are not secure, but you cant seem to hack them?
View Public Profile
Send a private message to Village Idiot
Find More Posts by Village Idiot