Reply to Re: alternative to mysql_real_escape_string()

Your name:

Reply:


Posted by Raj Shekhar on 04/12/05 07:22

info@globalissa.com writes:

> Hello, I have a quick question: To use a custom solution for
> inhibiting sql injection attacks and not a database specific
> solution like mysql_real_escape_string()
>
> http://php.net/manual/en/function.mysql-real-escape-string.php
>
> ... that will run on any database, not just MySql, would the
> following be a viable solution:
>
> a. addslashes() to all variables and

I used the Adodb (adodb.sourceforge.net) class for working with the
database. It could work to a bunch of DBs (mysql, oracle, pgsql).
The most interesting bit about it was that it tool care of escaping
the strings before putting the data in the database. Each db had its
own backend, which took care of escaping characters. For example, if
you want to insert "John's Old Shoppe" into MS access, it has to go in
like "John''s Old Shoppe" and not "John\'s Old Shoppe".

I think Pear::DB also provides this functionality.


> b. remove specific unwanted characters from input including:
>
> -- [comment sign in SQL]
> ' [single quote]
>
> It is possible to just destroy the unwanted characters in a login
> form and prohibit use of those characters in username and password
> fields.
>

If you prohibit the use of some characters in the password field, your
users will be forced to use weak passwords. In this case, your best
bet is to insert the md5sum of the users password instead of the
cleartext password.

--
Raj Shekhar Y! : Operations Engineer
MySQL DBA, programmer and slacker Y!IM : lunatech3007
home : http://rajshekhar.net blog : http://rajshekhar.net/blog/

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация