12-05-2007, 05:15 PM
|
#8 (permalink)
|
|
La Vida es Sueño
Join Date: Sep 2007
Location: Oldham
Posts: 2,280
Thanks: 90
|
Quote:
Originally Posted by d4v1d
Which method is better? the mysql_real_escape_string() or addslashes()? And why? Sorry just curious, because I've seen a few SQL Injection protection measure articles, and some say use addslashes, and some say use the real_escape_string... What's the difference?
|
Well, addslashes is PHP's idea of what should be escaped, whilst mysql_real_escape_string is what MySQL knows has to be escaped, and as it's for MySQL I'd be a lot more inclined to go for mysql_real_escape_string any day. Apparently they are removing addslashes from PHP 6.
One site I hacked a while ago was Tutorialized.com. You can often tell which sites are vulnerable just by adding a single quote in random places, such as in the URL:
Clearly vulnerable:
http://www.tutorialized.com/tutorials/Fireworks/1'/1
__________________
The man who comes back through the Door in the Wall will never be quite the same as the man who went out.
|
|
|