|
|
Posted by Erwin Moller on 12/18/06 12:43
Iván Sánchez Ortega wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Rik wrote:
>
>> * always = if you feel like it
>> always, always = most of the time
>> always, always, always = 99,9% of the time.
>>
>> At least, that seems to be the way people percieve it.
>
> There is no avail insisting... people will keep on making mistakes like
> forgetting using mysql_real_escape_string() to avoid SQL injections.
Hi Ivan,
Allow me to drop in here with a question.
I use ADODB lib (www.phplens.com/adodb) as a databaseabstractionlayer.
It has a funtion named qstr() that will make a string ready to use in an
insert or update statement.
I checked the sourcecode and noticed for mySQL it branches code on
magic_quotes_gpc.
if magicquotes are on if leaves the string as is.
Otherwise it uses mysql_real_escape_string().
But since mysql_real_escape_string() escapes more than addslashes(), I
wonder if adodb is doing the right thing.
addslashes works on: ", ', \, and the NULL-byte
mysql_real_escape_string works on: \x00, \n, \r, \, ', " and \x1a.
So \n, \r, \x1a are NOT escaped.
Can any of these be used for SQL-injection?
Regards,
Erwin Moller
>
> - --
> - ----------------------------------
> Iván Sánchez Ortega -ivansanchez-algarroba-escomposlinux-punto-org-
>
> Es tan corto el amor y tan largo el olvido.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFFhdrvR56dWuhgxGgRAr3YAKC+JmvaIf9Jm7q7TgE+xCsiPe5/BQCeLBXX
> JshfeU8VxDiXjNbMGmB7fEk=
> =2Bw5
> -----END PGP SIGNATURE-----
Navigation:
[Reply to this message]
|