Posted by Marek Kilimajer on 05/13/05 10:51

Richard Lynch wrote:
> On Thu, May 12, 2005 4:43 pm, Chris Shiflett said:
>
>> From me:
>>The fact that it uses the character set of your current connection to
>>MySQL means that what your escaping function considers to be a single
>>quote is exactly what your database considers to be a single quote. If
>>these things don't match, your escaping function can miss something that
>>your database interprets, opening you up to an SQL injection attack.
>
>
> Under the following pre-conditions:
> 1. C Locale / English in MySQL data
> 2. No intention to ever switch natural language, nor database.
>
> is there any real benefit to spending man hours I really can't afford for
> legacy code to switch from Magic Quotes to mysql_real_escape_string -- and
> make no mistake, it would be a TON of man hours.

It will take less than five minutes to write a recursive function that
will stripslashes() all incoming variables and use
mysql_real_escape_string() instead.

• Next in forum: Finding current PHP sessions
• Prev in forum: Re: [PHP] Header Location redirection parameters fail to redirect
• Thread view: Re: [PHP] MySql injections (related question)

[Reply to this message]