TalkPHP - View Single Post - SQL Injection and mysql_real_escape_string

delayedinsanity · 05-03-2008, 08:21 PM

Probably because I'm not a hacker, nor does your sample script even run to make the attempt on, nor do I have the time. However, after looking at your script, with all the single quotes, and the only other method called is mysql_real_escape_string, I'm going to firmly believe that your scripts are entirely and probably very easily hackable.

The first SQL injection attack I ever read about was something akin to: ' username='admin' --, which makes use of the fact that the script is probably using single quotes, so I hardly see how you believe this to be a form of security.
-m

05-03-2008, 08:21 PM	#33 (permalink)
delayedinsanity is cute and cuddly Join Date: Mar 2008 Location: Vegas, Baby Posts: 963 Thanks: 31	Probably because I'm not a hacker, nor does your sample script even run to make the attempt on, nor do I have the time. However, after looking at your script, with all the single quotes, and the only other method called is mysql_real_escape_string, I'm going to firmly believe that your scripts are entirely and probably very easily hackable. The first SQL injection attack I ever read about was something akin to: ' username='admin' --, which makes use of the fact that the script is probably using single quotes, so I hardly see how you believe this to be a form of security. -m