Posted by Michael Fesser on 11/26/07 16:49

..oO(Michael Martinek)

>mysql_real_escape_string will not change $nAccountID from the value of
>"0; DROP users;".. there's nothing to be escaped in the string. The
>proper way to protect against SQL injection is usually a combination
>of sprintf() or intval(), and mysql_real_escape_string().

Or prepared statements.

Micha

• Next in forum: Re: __FILE__ and sym-links
• Prev in forum: Re: regular expression to extract text
• Thread view: Re: Newbie Security Questions

[Reply to this message]