Posted by R. Rajesh Jeba Anbiah on 03/23/06 08:12

Andy Jeffries wrote:
> On Wed, 22 Mar 2006 21:52:11 +0000, Paul Furman wrote:
>
> > How to I clean up SQL hacking such as this:
> > /?PAGE=mycode.php&filter_in_url=%27+and+%27a%27%3D%27b%27+UNION+ALL+SELECT+my_table%2C+my_table%2C+my_field%2C+<snip>+FROM+another_table+%23
<snip>
> I'd go with passing each of your parameter through:
>
> http://uk.php.net/mysql-real-escape-string
<snip>

The latest doctrine is to use prepared statement
<http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html>

--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/

[Back to original message]