Posted by Justin Koivisto on 09/08/05 18:08
Michael G wrote:
> If I only escape the characters that mysql_real_escape_string recognizes, is
> this adequate protection against SQL injection attacks?
>
> I have read a number of archived posts plus I've read some of the info at
> php.net. I am still not convinced as to what to do. The php folks claim that
> using mysql_real_escape_string is all that is needed. Then on the other
> hand, there is a myriad of opinions about that. I think I am inclined to
> side with the php folks.
>
> One thing that bothers me about the mysql_real_escape_string is that it
> doesn't escape "--" which is a comment. One justification for this is that
> it would have to be delimited with an " ' " before it would have any affect.
> But I am not totally sure about that either.
>
> Finally, what does the "real" mean in mysql_real_escape_string?
mysql_real_escape_string obeys the character set being used by the
system, which is always a better method.
Chris Shiflett* has a nice article about SQL injection and PHP over at:
http://shiflett.org/articles/security-corner-apr2004
[*] - Brief about Chris: http://shiflett.org/about
--
Justin Koivisto, ZCE - justin@koivi.com
http://koivi.com
[Back to original message]
|