nightkarnation Posted September 15, 2008 Share Posted September 15, 2008 I was wondering if with lets say: $name = mysql_real_escape_string($_POST['user']); You are preventing a form input text field...BUT ALSO THE FOLLOWING ATTACK: http://mywebsite.com/login.php?id=2'; DROP TABLE login; # IF NOT...how can i prevent this address attack ?? And...can a hacker attack by simply: http://mywebsite.com/login.php'; DROP TABLE login; # ??? I really appreciate some feedback on this one, Thanx in advance for the reply! Cheers, Link to comment https://forums.phpfreaks.com/topic/124353-mysql_real_escape_string-prevention-for-address-attack/ Share on other sites More sharing options...
Andy-H Posted September 15, 2008 Share Posted September 15, 2008 Just escape your data when you use the $_GET superglobal too.. Link to comment https://forums.phpfreaks.com/topic/124353-mysql_real_escape_string-prevention-for-address-attack/#findComment-642199 Share on other sites More sharing options...
Mchl Posted September 15, 2008 Share Posted September 15, 2008 Yes. mysql_real_escape_string() takes care of that (it will escape a ' after id=2, so that query won't be split in two) Besides mysql_query() can only do single queries, so even if you did mysql_query("SELECT * FROM TABLE; DROP ALL TABLES;"); It wouldn't work. Link to comment https://forums.phpfreaks.com/topic/124353-mysql_real_escape_string-prevention-for-address-attack/#findComment-642203 Share on other sites More sharing options...
nightkarnation Posted September 15, 2008 Author Share Posted September 15, 2008 Ok cool, thank you very much guys! Link to comment https://forums.phpfreaks.com/topic/124353-mysql_real_escape_string-prevention-for-address-attack/#findComment-642212 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.