From: Martijn Tonies
Date: March 19 2004 8:52am
Subject: Re: Guru's advice needed ........[Security: SQL injection]
List-Archive: http://lists.mysql.com/mysql/162086
Message-Id: <014501c40d8f$9424f170$0702a8c0@martijn>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Hi Jigal, others,

> > Can someone shed some light  on how "SQL injection" attack occurs when
> > *magic_quotes_gpc *is"ON" and how it prevents when its "OFF". To my
> > understanding  apostrophise are escaped automatically in POST/GET/COOKIE
> > when its ON, so how it tends towards SQL Injection.
>
> magic_quotes_gpc ON is supposed to do an addslashes automatically for all
> get, post and cookie data.
>
> > *What is the best practices handling 'quotation marks'  in input string
> > and how to prevent SQL injection.
>
> The best way to prevent SQL injection is to check user input yourself.
> Never, ever trust any data from an external source.

What about using parameters? How are they handled in MySQL?

With regards,

Martijn Tonies
Database Workbench - developer tool for InterBase, Firebird, MySQL & MS SQL
Server.
Upscene Productions
http://www.upscene.com