| List: | General Discussion | « Previous MessageNext Message » | |
| From: | Jon Ribbens | Date: | June 4 2007 11:40pm |
| Subject: | Re: MySQL Magazine - Issue 1 available NOW!!!! | ||
| View as plain text | |||
On Mon, Jun 04, 2007 at 02:44:25PM -0700, Daevid Vincent wrote: > Thanks for the magazine. I already incorporated a little extra SQL > injection checking into my db.inc.php wrapper... > > //[dv] added to remove all comments (which may help with SQL injections > as well. > $sql = preg_replace("/#.*?[\r\n]/s", '', $sql); > $sql = preg_replace("/--.*?[\r\n]/s", '', $sql); > $sql = preg_replace("@/\*(.*?)\*/@s", '', $sql); Um, what? Both that and the methods described in the magazine are completely wrong. You use mysql_real_ecape_string(), that's it.
| Thread | ||
|---|---|---|
| • MySQL Magazine - Issue 1 available NOW!!!! | B. Keith Murphy | 4 Jun |
| • RE: MySQL Magazine - Issue 1 available NOW!!!! | Daevid Vincent | 4 Jun |
| • Re: MySQL Magazine - Issue 1 available NOW!!!! | NĂ©stor | 4 Jun |
| • RE: MySQL Magazine - Issue 1 available NOW!!!! | Daevid Vincent | 5 Jun |
| • Re: MySQL Magazine - Issue 1 available NOW!!!! | Jon Ribbens | 5 Jun |
| • Re: MySQL Magazine - Issue 1 available NOW!!!! | Peter Rosenthal | 7 Jun |
| • Re: MySQL Magazine - Issue 1 available NOW!!!! | Jon Ribbens | 7 Jun |
| • Re: MySQL Magazine - Issue 1 available NOW!!!! | Yves Goergen | 9 Jun |
| • RE: MySQL Magazine - Issue 1 available NOW!!!! | Daevid Vincent | 11 Jun |
| • Re: MySQL Magazine - Issue 1 available NOW!!!! | Gordan Bobic | 11 Jun |
| • Re: MySQL Magazine - Issue 1 available NOW!!!! | Kevin Hunter | 11 Jun |