|
|
Posted by Jerry Stuckle on 06/29/07 13:33
Andrew Hutchings wrote:
> shimmyshack wrote:
>> On Jun 28, 10:28 pm, jb <jbri...@gmail.com> wrote:
>>> does wrapping the string in double quotes somehow tell mysql to treat
>>> the contents within as literal? Thus making it sql injection safe?
>>
>> just use myql_real_escape_string throughout.
>
> That won't cover things like unicode sql injection attacks for starters.
> Prepared statements are much safer but you need mysqli on your PHP
> installation (or a lot of voodoo with the standard mysql library).
>
Actually, it will. mysql_real_escape_string is charset dependent. If
you're using one of the unicode charsets in your table,
mysql_real_escape_string will handle it. And if you're not using
unicode, the injection won't work, anyway.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
[Back to original message]
|