Expand |
Embed | Plain Text
Comments
Subscribe to comments
You need to login to post a comment.
Posted By
llbbl on 05/27/07
Tagged
mysql php textmate security sql-injection
Versions (?)
Who likes this?
167 people have marked this snippet as a favorite
Roshambo
maxav
basicmagic
rjmestre
johnself
cynic68
MartinY
m0rris
depmed
bitcrumb
fael
togi
vali29
heinz1959
apocalip
benrasmusen
coggla
Steffen82
emuman
JimiJay
DFCNT
Morgano
wirjo
wbowers
Nils
Baris
dyesin
digiloper
romanos
mmccrack
pixelhandler
JustinCrossman
jayjansheskigmailcom
Mithun
Leech
tikitakfire
sumandahal
willwish
Shocm
joaosalless
salibaray
iconsis
luggnagger
baqc
thermosilla
LostCore
wizard04
Hilyin
Nix
kungpoo
tjombka
vevhlos
ntulip
xtheonex
localhorst
rizzn2k
tewoos
owais
kernelpanics
rezzz
publicbroadcast
maorb
hamiltonmascioli
thadwheeler
nb109
gtalmes
exentrich
jcroom
joet3ch
acosonic
KF
Gr33d
rene-design
sultano
polarbear
lunacye
kellyrmartin
gutierrezgcf
GandalfGrey
afj176
cindreta
bigredjoe
quoctien82
jaff
larste
khaled
oktijum
tariel
novatvstdios
alexteg
limenet
galofre
colingardom
kaartz
hsousa
alessio2
nerdfiles
joethermal
osirisinternet
cartercole
iamadams
isholgueras
shawntysco
ahmedalttai
nextneed
vkolev
bmayzure
miceno
koteus
rabc
pgorrindo
corangar
gnitter
cjmling
seanpowell
bobbym245
jafar
hugeidea
doctrine
martins
beebs93
barbietunnie
eme_dlr
broikmann
tspitzr
rave
ilyasishak
mmcachran
CyKy
JCMais
salimi
samkamerer
lfcortes
Gordy
NeekGerd
sauloperez
luckystokes
jdenmark
prit
sjacunningham
longstaff
summer_charlie
qubestream
benediktvaldez
Adrian
Ideandro
carcinogen75
banjomamo
dixon
prismatiq
shalomfriss
rusty_richards
jsamackay
sharktale
surekin
Balamir
masta
White
miguelcanijo
rmethod
welancers
fvanommen
ColdKeyboard
ajcarrillo
bdario
ekarakas
3polars
Subscribe to comments
Please note almost any string values used in mysql queries should be escaped and not all of these values is user input which has escaped characters from magic quotes GPC. (e.g. regular vars from the script)
I'd add an additional optional parameter (bool) which defines, whether the parameter $dirty is coming from a GPC variable or not. :)
Note: mysqlrealescapestring() requires that a valid mysql connection (mysqlconnect()) exists to work... see the PHP manual for details.
"mysqlrealescapestring() requires that a valid mysql connection"
The "mysql_" appended to the function might have been a clue. :)
*append = prefix
With mysqlrealescape_string alone, you are not 100% secure, consider going for function titled "Prevent SQL Injection".
With mysqlrealescape_string alone, you are not 100% secure, consider going for function titled "Prevent SQL Injection".
sarfraznawaz2005 - what else can be done to secure the input to a further degree?
This does not prevent sql injection. It takes care of several special characters, and that's about it. it does nothing to prevent the injection of wildcard characters such as % and _ also consider numerical values in sql terms, they do not need to be enclosed in single or double quotes, so mysqlrealescapestring, does just that. It escapes strings. Notice the function was not called mysqlprevent_injection. This is why sql injection is still in the wild: developers that are trying to find an easy solution to something that is implementation specific and requires attention to detail for mitigation. If you want to prevent or lessen the risk of sql injection, read more about implementing sql injection not about preventing sql injection. You'll find much more useful solutions by reading the blogs or books written by pentesters who are actively trying to defeat these protections.... just saying
append != prefix append = suffix prepend = prefix
what about this: http://www.w3schools.com/PHP/funcmysqlrealescapestring.asp