List:General Discussion« Previous MessageNext Message »
From:Daevid Vincent Date:June 11 2007 9:09pm
Subject:RE: MySQL Magazine - Issue 1 available NOW!!!!
View as plain text  
Yes, you are correct. In a cruel, ironic twist, that actually bit me in
the ass, as it turns out we tried to import some "HTML" output from MS
Word, which adds all kinds of crazy XHTML comment tag thingys that look
like:

<!--[if gte mso 9]>
<!--[if !mso]>
<![endif]-->
Etc.

*sigh*
 

> -----Original Message-----
> From: Yves Goergen [mailto:nospam.list@stripped] 
> Sent: Saturday, June 09, 2007 4:34 AM
> To: Daevid Vincent
> Cc: 'B. Keith Murphy'; 'MySQL General'
> Subject: Re: MySQL Magazine - Issue 1 available NOW!!!!
> 
> On 04.06.2007 23:44 CE(S)T, Daevid Vincent wrote:
> > Thanks for the magazine. I already incorporated a little extra SQL
> > injection checking into my db.inc.php wrapper...
> > 
> > //[dv] added to remove all comments (which may help with 
> SQL injections
> > as well.
> > $sql = preg_replace("/#.*?[\r\n]/s", '', $sql);
> > $sql = preg_replace("/--.*?[\r\n]/s", '', $sql);
> > $sql = preg_replace("@/\*(.*?)\*/@s", '', $sql); 
> 
> I'm not aware of the context, but I guess you can imagine 
> that this will
> corrupt any SQL queries that contain "#" or "--" or "/* ... 
> */" inside a
> string. So I would highly recommend not using those.
> 
> -- 
> Yves Goergen "LonelyPixel" <nospam.list@stripped>
> Visit my web laboratory at http://beta.unclassified.de
> 

Thread
MySQL Magazine - Issue 1 available NOW!!!!B. Keith Murphy4 Jun
  • RE: MySQL Magazine - Issue 1 available NOW!!!!Daevid Vincent4 Jun
    • Re: MySQL Magazine - Issue 1 available NOW!!!!NĂ©stor4 Jun
      • RE: MySQL Magazine - Issue 1 available NOW!!!!Daevid Vincent5 Jun
    • Re: MySQL Magazine - Issue 1 available NOW!!!!Jon Ribbens5 Jun
      • Re: MySQL Magazine - Issue 1 available NOW!!!!Peter Rosenthal7 Jun
        • Re: MySQL Magazine - Issue 1 available NOW!!!!Jon Ribbens7 Jun
    • Re: MySQL Magazine - Issue 1 available NOW!!!!Yves Goergen9 Jun
      • RE: MySQL Magazine - Issue 1 available NOW!!!!Daevid Vincent11 Jun
        • Re: MySQL Magazine - Issue 1 available NOW!!!!Gordan Bobic11 Jun
          • Re: MySQL Magazine - Issue 1 available NOW!!!!Kevin Hunter11 Jun