otuatail Posted August 26, 2009 Share Posted August 26, 2009 Not shure if this is good enoughf for sql injection but when entering a user name and password would this be ok. $USR = $_POST['User']; // remove sql injection $USR = str_replace('-',"",$USR); $USR = str_replace("'","",$USR); TIA Desmond. Quote Link to comment https://forums.phpfreaks.com/topic/172015-sql-injection/ Share on other sites More sharing options...
ignace Posted August 26, 2009 Share Posted August 26, 2009 no use mysql_real_escape_string Quote Link to comment https://forums.phpfreaks.com/topic/172015-sql-injection/#findComment-907016 Share on other sites More sharing options...
otuatail Posted August 26, 2009 Author Share Posted August 26, 2009 Thanks. The only thing it does not check for is (-) because an SQL can be terminated by a double -- Quote Link to comment https://forums.phpfreaks.com/topic/172015-sql-injection/#findComment-907043 Share on other sites More sharing options...
PFMaBiSmAd Posted August 26, 2009 Share Posted August 26, 2009 The -- only has meaning in a query when it is outside of a quoted string. When used inside of a quoted string they are treated as part of the string. mysql_real_escape_string will prevent sql injection for string data (kind of why it is called what it is.) If you have numeric data (which would not be enclosed in quotes in the query) you need to validate that it is numeric or cast it as a numeric data type to prevent sql injection. Quote Link to comment https://forums.phpfreaks.com/topic/172015-sql-injection/#findComment-907048 Share on other sites More sharing options...
otuatail Posted August 26, 2009 Author Share Posted August 26, 2009 Ok thanks I thought that adding -- would cancel everything after. How do you cast a number without an error. Ie (£$%^%^&*) is not a number but would default maybe to zero Quote Link to comment https://forums.phpfreaks.com/topic/172015-sql-injection/#findComment-907070 Share on other sites More sharing options...
PFMaBiSmAd Posted August 26, 2009 Share Posted August 26, 2009 var_dump ((int)"£$%^%^&*"); Gives: int(0) Quote Link to comment https://forums.phpfreaks.com/topic/172015-sql-injection/#findComment-907076 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.