Posted by Andy Jeffries on 03/23/06 01:43

On Wed, 22 Mar 2006 23:35:54 +0000, Paul Furman wrote:
>> I'd go with passing each of your parameter through:
>>
>> http://uk.php.net/mysql-real-escape-string
>>
>> It will escape all quotes properly.
>
> But if I want to use quotes, that would remove them right? There are cases
> where the user input should have quotes with my application.

No, not remove - escape.

So it would convert:

INSERT INTO foo (bar) VALUES ('don't you');

(which is broken) in to :

INSERT INTO foo (bar) VALUES ('don\'t you');

so it inserts in to the database. This would stop your hacking attempts
because strings like: something' UNION ALL SELECT...
would become:

SELECT * FROM foo WHERE bar='something\' UNION ALL SELECT...';

It's quite safe and makes sure any quotes are inserted in to the column
you wrap in that function rather than breaking out in to separate SQL
statements or clauses.

Cheers,


Andy


--
Andy Jeffries MBCS CITP ZCE | gPHPEdit Lead Developer
http://www.gphpedit.org | PHP editor for Gnome 2
http://www.andyjeffries.co.uk | Personal site and photos

[Back to original message]