Posted by Dikkie Dik on 12/26/06 19:33

> I wrote a simple PHP function for handling string arguments to a SQL
> Query:
>
> function SqlEscapedQuotedString($unescaped_string) {
> return '"' . addslashes($unescaped_string) . '"';
> }


For me, this is way too simple.I use "whitelisting" for the SQL values:
any character that is valid SQL is allowed (though escaped for some
characters), and a string containing any other character is sent as a
hexadecimal string.

Best regards

• Next in forum: MI5 Persecution: cost of the operation
• Prev in forum: Re: Help in understanding php
• Thread view: Re: The best way to protect SQL injection?

[Reply to this message]