List:General Discussion« Previous MessageNext Message »
From:Peter Rosenthal Date:June 7 2007 12:56am
Subject:Re: MySQL Magazine - Issue 1 available NOW!!!!
View as plain text  
I would disagree on the use of mysql_real_escape_string(). The use of
placeholders is much safer from a maintenance and 'oops look I typoed it'
perspective.

On 04/06/07, Jon Ribbens <jon+mysql@stripped> wrote:
>
> On Mon, Jun 04, 2007 at 02:44:25PM -0700, Daevid Vincent wrote:
> > Thanks for the magazine. I already incorporated a little extra SQL
> > injection checking into my db.inc.php wrapper...
> >
> > //[dv] added to remove all comments (which may help with SQL injections
> > as well.
> > $sql = preg_replace("/#.*?[\r\n]/s", '', $sql);
> > $sql = preg_replace("/--.*?[\r\n]/s", '', $sql);
> > $sql = preg_replace("@/\*(.*?)\*/@s", '', $sql);
>
> Um, what? Both that and the methods described in the magazine are
> completely wrong. You use mysql_real_ecape_string(), that's it.
>
> --
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe:    http://lists.mysql.com/mysql?unsub=1
>
>

Thread
MySQL Magazine - Issue 1 available NOW!!!!B. Keith Murphy4 Jun
  • RE: MySQL Magazine - Issue 1 available NOW!!!!Daevid Vincent4 Jun
    • Re: MySQL Magazine - Issue 1 available NOW!!!!NĂ©stor4 Jun
      • RE: MySQL Magazine - Issue 1 available NOW!!!!Daevid Vincent5 Jun
    • Re: MySQL Magazine - Issue 1 available NOW!!!!Jon Ribbens5 Jun
      • Re: MySQL Magazine - Issue 1 available NOW!!!!Peter Rosenthal7 Jun
        • Re: MySQL Magazine - Issue 1 available NOW!!!!Jon Ribbens7 Jun
    • Re: MySQL Magazine - Issue 1 available NOW!!!!Yves Goergen9 Jun
      • RE: MySQL Magazine - Issue 1 available NOW!!!!Daevid Vincent11 Jun
        • Re: MySQL Magazine - Issue 1 available NOW!!!!Gordan Bobic11 Jun
          • Re: MySQL Magazine - Issue 1 available NOW!!!!Kevin Hunter11 Jun