From: Peter Rosenthal Date: June 7 2007 12:56am Subject: Re: MySQL Magazine - Issue 1 available NOW!!!! List-Archive: http://lists.mysql.com/mysql/207275 Message-Id: <7806f6cc0706061756r47e8bc40h2673273ce3267249@mail.gmail.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_19130_26094191.1181177804372" ------=_Part_19130_26094191.1181177804372 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline I would disagree on the use of mysql_real_escape_string(). The use of placeholders is much safer from a maintenance and 'oops look I typoed it' perspective. On 04/06/07, Jon Ribbens wrote: > > On Mon, Jun 04, 2007 at 02:44:25PM -0700, Daevid Vincent wrote: > > Thanks for the magazine. I already incorporated a little extra SQL > > injection checking into my db.inc.php wrapper... > > > > //[dv] added to remove all comments (which may help with SQL injections > > as well. > > $sql = preg_replace("/#.*?[\r\n]/s", '', $sql); > > $sql = preg_replace("/--.*?[\r\n]/s", '', $sql); > > $sql = preg_replace("@/\*(.*?)\*/@s", '', $sql); > > Um, what? Both that and the methods described in the magazine are > completely wrong. You use mysql_real_ecape_string(), that's it. > > -- > MySQL General Mailing List > For list archives: http://lists.mysql.com/mysql > To unsubscribe: http://lists.mysql.com/mysql?unsub=voiperster@stripped > > ------=_Part_19130_26094191.1181177804372--