Jump to content

mysql_real_escape_string PREVENTION for address attack ??


nightkarnation

Recommended Posts

I was wondering if with lets say:

 

$name = mysql_real_escape_string($_POST['user']);

 

You are preventing a form input text field...BUT ALSO THE FOLLOWING ATTACK:

 

http://mywebsite.com/login.php?id=2'; DROP TABLE login; #

 

IF NOT...how can i prevent this address attack ??

 

And...can a hacker attack by simply:

 

http://mywebsite.com/login.php'; DROP TABLE login; #

???

 

I really appreciate some feedback on this one,

Thanx in advance for the reply!

Cheers,

Yes. mysql_real_escape_string() takes care of that (it will escape a ' after id=2, so that query won't be split in two)

 

Besides mysql_query() can only do single queries, so even if you did

 

mysql_query("SELECT * FROM TABLE; DROP ALL TABLES;");

It wouldn't work.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.