List:General Discussion« Previous MessageNext Message »
From:Gordan Bobic Date:June 11 2007 9:53pm
Subject:Re: MySQL Magazine - Issue 1 available NOW!!!!
View as plain text  
Oh dear... Without getting into any religious arguments, if you have to
use it, PHP already provides a perfectly good interface for preventing
any SQL injections - ever. Use MySQLi and bound parameters. And if
somebody manages to invent some quasi-valid reason for not using MySQLi
(e.g. version of PHP used), then there is always mysql_escape_string() /
mysql_real_escape_string().

I don't understand this never-ending fascination with re-inventing a
square wheel for an application for which the standard round type has
already been kindly provided since year dot.

/RANT

Gordan

Daevid Vincent wrote:
> Yes, you are correct. In a cruel, ironic twist, that actually bit me in
> the ass, as it turns out we tried to import some "HTML" output from MS
> Word, which adds all kinds of crazy XHTML comment tag thingys that look
> like:
> 
> <!--[if gte mso 9]>
> <!--[if !mso]>
> <![endif]-->
> Etc.
> 
> *sigh*
>  
> 
>> -----Original Message-----
>> From: Yves Goergen [mailto:nospam.list@stripped] 
>> Sent: Saturday, June 09, 2007 4:34 AM
>> To: Daevid Vincent
>> Cc: 'B. Keith Murphy'; 'MySQL General'
>> Subject: Re: MySQL Magazine - Issue 1 available NOW!!!!
>>
>> On 04.06.2007 23:44 CE(S)T, Daevid Vincent wrote:
>>> Thanks for the magazine. I already incorporated a little extra SQL
>>> injection checking into my db.inc.php wrapper...
>>>
>>> //[dv] added to remove all comments (which may help with 
>> SQL injections
>>> as well.
>>> $sql = preg_replace("/#.*?[\r\n]/s", '', $sql);
>>> $sql = preg_replace("/--.*?[\r\n]/s", '', $sql);
>>> $sql = preg_replace("@/\*(.*?)\*/@s", '', $sql); 
>> I'm not aware of the context, but I guess you can imagine 
>> that this will
>> corrupt any SQL queries that contain "#" or "--" or "/* ... 
>> */" inside a
>> string. So I would highly recommend not using those.
>>
>> -- 
>> Yves Goergen "LonelyPixel" <nospam.list@stripped>
>> Visit my web laboratory at http://beta.unclassified.de
>>
> 
> 

Thread
MySQL Magazine - Issue 1 available NOW!!!!B. Keith Murphy4 Jun
  • RE: MySQL Magazine - Issue 1 available NOW!!!!Daevid Vincent4 Jun
    • Re: MySQL Magazine - Issue 1 available NOW!!!!NĂ©stor4 Jun
      • RE: MySQL Magazine - Issue 1 available NOW!!!!Daevid Vincent5 Jun
    • Re: MySQL Magazine - Issue 1 available NOW!!!!Jon Ribbens5 Jun
      • Re: MySQL Magazine - Issue 1 available NOW!!!!Peter Rosenthal7 Jun
        • Re: MySQL Magazine - Issue 1 available NOW!!!!Jon Ribbens7 Jun
    • Re: MySQL Magazine - Issue 1 available NOW!!!!Yves Goergen9 Jun
      • RE: MySQL Magazine - Issue 1 available NOW!!!!Daevid Vincent11 Jun
        • Re: MySQL Magazine - Issue 1 available NOW!!!!Gordan Bobic11 Jun
          • Re: MySQL Magazine - Issue 1 available NOW!!!!Kevin Hunter11 Jun