Posted by Harold Crump on 07/05/06 00:44

Hi Rik --

> > My question - is it enough to pass all user input through the
> > htmlentities() function call and store the resultant output?
>
> No. Use mysql_real_escape_string(), allthough that's not a 100% secure
> either:
> http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html

My understanding is that htmlentities replaces all types of quotes with
its HTML equivalent - doesn't that get rid of the whole problem with
escaping, or not escaping, quotes?

What's the issue with storing the &quote in the database?

Why bother with mysql_real_escape_string and all its inherent issues if
we can completely eliminate quotes from making their way into the SQL
statement?

What am I missing?

> Prepared statements seem the way to go. Use mysqli if available.

Aren't they available only with version 5 and above?
I am still on an older version.

> > Also, I would like to replace all semi-colons in input with something
> > else - but I am not sure what and how.
>
> Why?

Semi-colons are statement terminators in SQL.
They are commonly used in SQL injection attacks to end the current
statement and insert a malicious statement.

-Harold.

[Back to original message]