Reply to Re: [PHP] alternative to mysql_real_escape_string()

Your name:

Reply:


Posted by Richard Lynch on 04/12/05 01:12

On Mon, April 11, 2005 12:16 am, info@globalissa.com said:
> I have a quick question: To use a custom solution for inhibiting sql
> injection attacks and not a database specific solution like
> mysql_real_escape_string()
>
> http://php.net/manual/en/function.mysql-real-escape-string.php
>
> ... that will run on any database, not just MySql, would the following be
> a viable solution:
>
> a. addslashes() to all variables and
> b. remove specific unwanted characters from input including:
>
> -- [comment sign in SQL]
> ' [single quote]

No.

# is the comment sign in SQL
No, wait, it's /* ... */
No, wait, there is no comment sign in SQL.

Which database are you using?

> It is possible to just destroy the unwanted characters in a login form and
> prohibit use of those characters in username and password fields.

That also can help, but you want some alphanumeric *AND* punctuation for
good passwords.

> Would a. plus b. above provide reasonably good protection to inhibit sql
> injection attacks, or what is the best database independent approach using
> php and not a database function?

class PlatformIndependentDatabase () {
var $platform;

/* Constructor sets $platform to 'mysql', or 'pgsql' or 'sql-server' ... */

function escape_string ($string){
switch ($this->platform){
case 'mysql': return mysql_real_escape_string($string); break;
case 'pgsql': return pg_real_escapge_string($string); break;
default: error_log("$this->platform has NO escape string?!"); return
$string; break;
}
}
}

Disclaimer: I don't use platform-independent db code, cuz I don't expect
to switch any time, and I don't use objects, cuz I'm a solo author and can
write better/faster code without them, so I likely have syntax errors in
the above.


--
Like Music?
http://l-i-e.com/artists.htm

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация