12-14-2008, 08:58 PM
|
#19 (permalink)
|
|
The Visitor
Join Date: Dec 2008
Location: Tehran, Iran
Posts: 2
Thanks: 2
|
Quote:
Originally Posted by Village Idiot
First off, this thread is over a year old. It belongs in a new thread, please read the dates before posting.
|
Oh, I didn't see the year !
Quote:
Originally Posted by Village Idiot
Second, that technique will not work and it strips functionality.
To inject anything, you just have to separate it by a removed character, this:
Will return
Thus opening it to attack.
It also takes out characters that could be used for legit purposes. Escaping them is how it should be done and mysql_real_escape_string() does this just fine (I see no real use for sprintf, it seems like adding another layer of processes with no advantage). |
Hmmm, it seems you are right |
|
|
|