Yes, you are correct. In a cruel, ironic twist, that actually bit me in
the ass, as it turns out we tried to import some "HTML" output from MS
Word, which adds all kinds of crazy XHTML comment tag thingys that look
<!--[if gte mso 9]>
> -----Original Message-----
> From: Yves Goergen [mailto:nospam.list@stripped]
> Sent: Saturday, June 09, 2007 4:34 AM
> To: Daevid Vincent
> Cc: 'B. Keith Murphy'; 'MySQL General'
> Subject: Re: MySQL Magazine - Issue 1 available NOW!!!!
> On 04.06.2007 23:44 CE(S)T, Daevid Vincent wrote:
> > Thanks for the magazine. I already incorporated a little extra SQL
> > injection checking into my db.inc.php wrapper...
> > //[dv] added to remove all comments (which may help with
> SQL injections
> > as well.
> > $sql = preg_replace("/#.*?[\r\n]/s", '', $sql);
> > $sql = preg_replace("/--.*?[\r\n]/s", '', $sql);
> > $sql = preg_replace("@/\*(.*?)\*/@s", '', $sql);
> I'm not aware of the context, but I guess you can imagine
> that this will
> corrupt any SQL queries that contain "#" or "--" or "/* ...
> */" inside a
> string. So I would highly recommend not using those.
> Yves Goergen "LonelyPixel" <nospam.list@stripped>
> Visit my web laboratory at http://beta.unclassified.de