SQL Injection

otuatail · August 26, 2009

Not shure if this is good enoughf for sql injection but when entering a user name and password would this be ok.

$USR = $_POST['User'];
// remove sql injection
$USR = str_replace('-',"",$USR);
$USR = str_replace("'","",$USR);

TIA Desmond.

ignace · August 26, 2009

no use mysql_real_escape_string

otuatail · August 26, 2009

Thanks. The only thing it does not check for is (-) because an SQL can be terminated by a double --

PFMaBiSmAd · August 26, 2009

The -- only has meaning in a query when it is outside of a quoted string. When used inside of a quoted string they are treated as part of the string. mysql_real_escape_string will prevent sql injection for string data (kind of why it is called what it is.)

If you have numeric data (which would not be enclosed in quotes in the query) you need to validate that it is numeric or cast it as a numeric data type to prevent sql injection.

otuatail · August 26, 2009

Ok thanks I thought that adding -- would cancel everything after. How do you cast a number without an error. Ie (£$%^%^&*) is not a number but would default maybe to zero

PFMaBiSmAd · August 26, 2009

var_dump ((int)"£$%^%^&*");

Gives: int(0)

Sign In

SQL Injection

Recommended Posts

otuatail

Link to comment

Share on other sites

ignace

Link to comment

Share on other sites

otuatail

Link to comment

Share on other sites

PFMaBiSmAd

Link to comment

Share on other sites

otuatail

Link to comment

Share on other sites

PFMaBiSmAd

Link to comment

Share on other sites

Archived

Browse

Activity

Important Information