Advertisement:

Author Topic: prevent sql injection  (Read 11317 times)

Offline Spaceman-Spiff

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 1,524
  • Gender: Male
prevent sql injection
« on: August 11, 2003, 03:37:17 PM »
is it important to do str_replace for semicolon (;) or double hyphen (--) characters for get/post data?
or is using addslashes is enough?

Offline [Unknown]

  • SMF Friend
  • SMF Master
  • *
  • Posts: 36,102
  • Gender: Male
Re:prevent sql injection
« Reply #1 on: August 11, 2003, 07:13:27 PM »
Addslashes is enough.  Semicolons don't work in PHP and comments don't work inside quotes.

(I can post with as many hyphens as I want: -----------------.)

-[Unknown]

Offline Spaceman-Spiff

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 1,524
  • Gender: Male
Re:prevent sql injection
« Reply #2 on: August 11, 2003, 07:27:39 PM »
in case an addslashes is forgotten, isnt it better to make the db query to change semicolon (;) into &#059; in the query statements?

Offline [Unknown]

  • SMF Friend
  • SMF Master
  • *
  • Posts: 36,102
  • Gender: Male
Re:prevent sql injection
« Reply #3 on: August 11, 2003, 08:24:47 PM »
Doesn't matter...

mysql_query("SELECT a; DELETE b"); will just give an error or something... it won't work.

-[Unknown]

Offline Spaceman-Spiff

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 1,524
  • Gender: Male
Re:prevent sql injection
« Reply #4 on: August 11, 2003, 09:28:14 PM »
oh, so a mysql_query cant have 2 queries by default?

Offline [Unknown]

  • SMF Friend
  • SMF Master
  • *
  • Posts: 36,102
  • Gender: Male
Re:prevent sql injection
« Reply #5 on: August 11, 2003, 10:53:07 PM »
Right, it will act like it's one query.  I'll double check, but I'm almost dead positive.

SELECT 1; SELECT 2
You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '; SELECT 2' at line 1

-[Unknown]

Offline Spaceman-Spiff

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 1,524
  • Gender: Male
Re:prevent sql injection
« Reply #6 on: August 12, 2003, 12:14:17 AM »
ic ic

thank you, sensei unknown :)