SQL injection protection
Posted 24 July 2006 - 06:14 PM
I know that an addition SQL query has spaces so that thats not a problem. but I'm sure i read somewhere that you can encode special characters to bypass url encoding. IE. to pass in a single quote or something similar.
Any ideas and sugestions would be appreciated. I dont think i can modify the existing code without good cause.
Thanks boys and girls.
Posted 24 July 2006 - 06:38 PM
Posted 24 July 2006 - 06:39 PM
Posted 24 July 2006 - 07:03 PM
As I said I can't really change the pre-existing code for the authentication class. Thats not really my job nor do i have permission to. I do have to secure my portion of code to the best of my ability.
I agree that mysql_real_escape_string() should be used, but just as a best practice. In order to get the developer to change the current implementation of the authentication class. I need to expalin why URLEncode isn't sufficient, but alas I'm not really sure why its not....? I tried passing in the few general SQL commands i know of and it seems to stop them. so what else is there?
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users