News:

Join the Facebook Fan Page.

Main Menu

prevent sql injection

Started by Spaceman-Spiff, August 11, 2003, 03:37:17 PM

Previous topic - Next topic

Spaceman-Spiff

is it important to do str_replace for semicolon (;) or double hyphen (--) characters for get/post data?
or is using addslashes is enough?

[Unknown]

Addslashes is enough.  Semicolons don't work in PHP and comments don't work inside quotes.

(I can post with as many hyphens as I want: -----------------.)

-[Unknown]

Spaceman-Spiff

in case an addslashes is forgotten, isnt it better to make the db query to change semicolon (;) into &#059; in the query statements?

[Unknown]

Doesn't matter...

mysql_query("SELECT a; DELETE b"); will just give an error or something... it won't work.

-[Unknown]

Spaceman-Spiff

oh, so a mysql_query cant have 2 queries by default?

[Unknown]

Right, it will act like it's one query.  I'll double check, but I'm almost dead positive.

SELECT 1; SELECT 2
You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '; SELECT 2' at line 1

-[Unknown]

Spaceman-Spiff

ic ic

thank you, sensei unknown :)

Advertisement: