Startses Posted August 9, 2009 Share Posted August 9, 2009 I made the following function to validate info being sent to my database: function valid($text){ $text = str_replace(" ","", $text); if (empty($text)) return false; $text = eregi_replace("([a-z0-9]+)","",$text); if (empty($text)) return true; else return false; } would this be enough or would I still need to use mysql_real_escape_string() for some reason? It only allows lowercase and numbers, unless I'm missing something? Quote Link to comment https://forums.phpfreaks.com/topic/169436-mysql_real_escape_string-question/ Share on other sites More sharing options...
The Little Guy Posted August 9, 2009 Share Posted August 9, 2009 I would recommend using use mysql_real_escape_string() on EVERYTHING!!! Quote Link to comment https://forums.phpfreaks.com/topic/169436-mysql_real_escape_string-question/#findComment-893944 Share on other sites More sharing options...
PugJr Posted August 9, 2009 Share Posted August 9, 2009 A question: Whats the penalty of not being safe? Safe than sorry when you are questioning over some very small ammount of computing power. Quote Link to comment https://forums.phpfreaks.com/topic/169436-mysql_real_escape_string-question/#findComment-893945 Share on other sites More sharing options...
PugJr Posted August 9, 2009 Share Posted August 9, 2009 I would recommend using use mysql_real_escape_string() on EVERYTHING!!! No. Not everything. Only use it on things that people can submit into AND that goes into your database. Quote Link to comment https://forums.phpfreaks.com/topic/169436-mysql_real_escape_string-question/#findComment-893946 Share on other sites More sharing options...
The Little Guy Posted August 9, 2009 Share Posted August 9, 2009 Yeah, that Is what I meant. Quote Link to comment https://forums.phpfreaks.com/topic/169436-mysql_real_escape_string-question/#findComment-893948 Share on other sites More sharing options...
RestlessThoughts Posted August 9, 2009 Share Posted August 9, 2009 Nah, that should be enough, there's no SQL that can be done with just lowercase and numbers. Quote Link to comment https://forums.phpfreaks.com/topic/169436-mysql_real_escape_string-question/#findComment-893967 Share on other sites More sharing options...
PFMaBiSmAd Posted August 9, 2009 Share Posted August 9, 2009 Unfortunately, hexadecimal encoded characters can be used to inject sql (you can inject things like single-quotes without supplying actual single-quotes by using hexadecimal), so things like the following (harmless examples) would get past the eregi_replace code that was posted - 0x274d7953514c27 0x275061756c27 Quote Link to comment https://forums.phpfreaks.com/topic/169436-mysql_real_escape_string-question/#findComment-893969 Share on other sites More sharing options...
Daniel0 Posted August 9, 2009 Share Posted August 9, 2009 Unfortunately, hexadecimal encoded characters can be used to inject sql (you can inject things like single-quotes without supplying actual single-quotes by using hexadecimal), so things like the following (harmless examples) would get past the eregi_replace code that was posted - 0x274d7953514c27 0x275061756c27 Yeah, but even: INSERT INTO foo (bar) VALUES ('0x275061756c27'); Wouldn't work (from an attacker's point of view). If you've made sure that your string only contains alphanumeric characters and you delimit the string in quotes there is no way any SQL injection vulnerability would be possible. Quote Link to comment https://forums.phpfreaks.com/topic/169436-mysql_real_escape_string-question/#findComment-893985 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.