View Single Post
Old 12-14-2008, 09:46 PM   #18 (permalink)
Village Idiot
Wizard
Top Contributor 
 
Village Idiot's Avatar
 
Join Date: Sep 2007
Posts: 1,299
Thanks: 17
Village Idiot is on a distinguished road
Default

First off, this thread is over a year old. It belongs in a new thread, please read the dates before posting.

Second, that technique will not work and it strips functionality.

To inject anything, you just have to separate it by a removed character, this:
Code:
-'-
Will return
Code:
--
Thus opening it to attack.

It also takes out characters that could be used for legit purposes. Escaping them is how it should be done and mysql_real_escape_string() does this just fine (I see no real use for sprintf, it seems like adding another layer of processes with no advantage).
__________________

Village Idiot is offline  
Reply With Quote
The Following User Says Thank You to Village Idiot For This Useful Post:
Mohammad (12-14-2008)