MySQL Count and PHP
View Single Post
12-08-2007, 07:45 PM
Join Date: Apr 2007
Originally Posted by
single quote your variables, otherwise injection is easy (even if cleaned). For instance ... Even if you clean that, the injection will work
That entirely depends on the method used to 'clean' the incoming data. Any decent filtering method will take this situation into account and protect your queries -- Village Idiot, if your current cleaning method does not cater for this situation then it's time to rethink things. Inventing a rule to wrap everything in quotes is just putting a band-aid over the problem rather than treating the injury properly.
String values should be wrapped in quotes; integer, double, etc. columns should not be wrapped in quotes. It's just good SQL.
The Following User Says Thank You to Salathe For This Useful Post:
View Public Profile
Send a private message to Salathe
Visit Salathe's homepage!
Find More Posts by Salathe