Posted by Paul Furman on 03/23/06 02:15

Andy Jeffries wrote:

> On Wed, 22 Mar 2006 23:35:54 +0000, Paul Furman wrote:
>
>>>I'd go with passing each of your parameter through:
>>>
>>>http://uk.php.net/mysql-real-escape-string
>>>
>>>It will escape all quotes properly.
>>
>>But if I want to use quotes, that would remove them right? There are cases
>>where the user input should have quotes with my application.
>
>
> No, not remove - escape.
>
> So it would convert:
>
> INSERT INTO foo (bar) VALUES ('don't you');
>
> (which is broken) in to :
>
> INSERT INTO foo (bar) VALUES ('don\'t you');
>
> so it inserts in to the database. This would stop your hacking attempts
> because strings like: something' UNION ALL SELECT...
> would become:
>
> SELECT * FROM foo WHERE bar='something\' UNION ALL SELECT...';
>
> It's quite safe and makes sure any quotes are inserted in to the column
> you wrap in that function rather than breaking out in to separate SQL
> statements or clauses.

Thanks for the explanation. If I understand correctly then it would
allow me to use quotes when I want to as well as disabling malicious
quoting. That's great.

[Back to original message]