List:General Discussion« Previous MessageNext Message »
From:Yves Goergen Date:June 9 2007 11:34am
Subject:Re: MySQL Magazine - Issue 1 available NOW!!!!
View as plain text  
On 04.06.2007 23:44 CE(S)T, Daevid Vincent wrote:
> Thanks for the magazine. I already incorporated a little extra SQL
> injection checking into my db.inc.php wrapper...
> 
> //[dv] added to remove all comments (which may help with SQL injections
> as well.
> $sql = preg_replace("/#.*?[\r\n]/s", '', $sql);
> $sql = preg_replace("/--.*?[\r\n]/s", '', $sql);
> $sql = preg_replace("@/\*(.*?)\*/@s", '', $sql); 

I'm not aware of the context, but I guess you can imagine that this will
corrupt any SQL queries that contain "#" or "--" or "/* ... */" inside a
string. So I would highly recommend not using those.

-- 
Yves Goergen "LonelyPixel" <nospam.list@stripped>
Visit my web laboratory at http://beta.unclassified.de
Thread
MySQL Magazine - Issue 1 available NOW!!!!B. Keith Murphy4 Jun
  • RE: MySQL Magazine - Issue 1 available NOW!!!!Daevid Vincent4 Jun
    • Re: MySQL Magazine - Issue 1 available NOW!!!!NĂ©stor4 Jun
      • RE: MySQL Magazine - Issue 1 available NOW!!!!Daevid Vincent5 Jun
    • Re: MySQL Magazine - Issue 1 available NOW!!!!Jon Ribbens5 Jun
      • Re: MySQL Magazine - Issue 1 available NOW!!!!Peter Rosenthal7 Jun
        • Re: MySQL Magazine - Issue 1 available NOW!!!!Jon Ribbens7 Jun
    • Re: MySQL Magazine - Issue 1 available NOW!!!!Yves Goergen9 Jun
      • RE: MySQL Magazine - Issue 1 available NOW!!!!Daevid Vincent11 Jun
        • Re: MySQL Magazine - Issue 1 available NOW!!!!Gordan Bobic11 Jun
          • Re: MySQL Magazine - Issue 1 available NOW!!!!Kevin Hunter11 Jun