bilis_money Posted August 12, 2006 Share Posted August 12, 2006 Ok, i'm trying to make a search box for my website.and everything is working fine.now at the moment of testing and looking for holes i notice thatwhen i type these ~, !, @, #, $, %, ^, &, *< (), (, ., *.* and etc.it produces error messages or will display all the records and etc.now i know that this is not intended to do this way but i think this is one of the holes that a cracker can exploit.I'm was thinking if this can be solve by using stripslashes() or related with this? I'm hoping that you can give me advice on this, on how to remove this problem. Thank you very much in advance. Quote Link to comment Share on other sites More sharing options...
Jocka Posted August 13, 2006 Share Posted August 13, 2006 mysql_escape_stringhttp://us2.php.net/mysql_escape_stringmysql_real_escape_stringhttp://us2.php.net/manual/en/function.mysql-real-escape-string.php Quote Link to comment Share on other sites More sharing options...
bilis_money Posted August 13, 2006 Author Share Posted August 13, 2006 so which is the most effective? Quote Link to comment Share on other sites More sharing options...
corbin Posted August 13, 2006 Share Posted August 13, 2006 [quote]Descriptionstring mysql_escape_string ( string unescaped_string )This function will escape the unescaped_string, so that it is safe to place it in a mysql_query(). This function is deprecated. This function is identical to mysql_real_escape_string() except that mysql_real_escape_string() takes a connection handler and escapes the string according to the current character set. mysql_escape_string() does not take a connection argument and does not respect the current charset setting. [/quote]It pretty much is sayin that _real_escape is the newer version... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.