From: Daevid Vincent Date: June 11 2007 9:09pm Subject: RE: MySQL Magazine - Issue 1 available NOW!!!! List-Archive: http://lists.mysql.com/mysql/207380 Message-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Yes, you are correct. In a cruel, ironic twist, that actually bit me in the ass, as it turns out we tried to import some "HTML" output from MS Word, which adds all kinds of crazy XHTML comment tag thingys that look like: Etc. *sigh* > -----Original Message----- > From: Yves Goergen [mailto:nospam.list@stripped] > Sent: Saturday, June 09, 2007 4:34 AM > To: Daevid Vincent > Cc: 'B. Keith Murphy'; 'MySQL General' > Subject: Re: MySQL Magazine - Issue 1 available NOW!!!! > > On 04.06.2007 23:44 CE(S)T, Daevid Vincent wrote: > > Thanks for the magazine. I already incorporated a little extra SQL > > injection checking into my db.inc.php wrapper... > > > > //[dv] added to remove all comments (which may help with > SQL injections > > as well. > > $sql = preg_replace("/#.*?[\r\n]/s", '', $sql); > > $sql = preg_replace("/--.*?[\r\n]/s", '', $sql); > > $sql = preg_replace("@/\*(.*?)\*/@s", '', $sql); > > I'm not aware of the context, but I guess you can imagine > that this will > corrupt any SQL queries that contain "#" or "--" or "/* ... > */" inside a > string. So I would highly recommend not using those. > > -- > Yves Goergen "LonelyPixel" > Visit my web laboratory at http://beta.unclassified.de >