Oh dear... Without getting into any religious arguments, if you have to
use it, PHP already provides a perfectly good interface for preventing
any SQL injections - ever. Use MySQLi and bound parameters. And if
somebody manages to invent some quasi-valid reason for not using MySQLi
(e.g. version of PHP used), then there is always mysql_escape_string() /
I don't understand this never-ending fascination with re-inventing a
square wheel for an application for which the standard round type has
already been kindly provided since year dot.
Daevid Vincent wrote:
> Yes, you are correct. In a cruel, ironic twist, that actually bit me in
> the ass, as it turns out we tried to import some "HTML" output from MS
> Word, which adds all kinds of crazy XHTML comment tag thingys that look
> <!--[if gte mso 9]>
> <!--[if !mso]>
>> -----Original Message-----
>> From: Yves Goergen [mailto:nospam.list@stripped]
>> Sent: Saturday, June 09, 2007 4:34 AM
>> To: Daevid Vincent
>> Cc: 'B. Keith Murphy'; 'MySQL General'
>> Subject: Re: MySQL Magazine - Issue 1 available NOW!!!!
>> On 04.06.2007 23:44 CE(S)T, Daevid Vincent wrote:
>>> Thanks for the magazine. I already incorporated a little extra SQL
>>> injection checking into my db.inc.php wrapper...
>>> //[dv] added to remove all comments (which may help with
>> SQL injections
>>> as well.
>>> $sql = preg_replace("/#.*?[\r\n]/s", '', $sql);
>>> $sql = preg_replace("/--.*?[\r\n]/s", '', $sql);
>>> $sql = preg_replace("@/\*(.*?)\*/@s", '', $sql);
>> I'm not aware of the context, but I guess you can imagine
>> that this will
>> corrupt any SQL queries that contain "#" or "--" or "/* ...
>> */" inside a
>> string. So I would highly recommend not using those.
>> Yves Goergen "LonelyPixel" <nospam.list@stripped>
>> Visit my web laboratory at http://beta.unclassified.de