robert_gsfame Posted March 10, 2011 Share Posted March 10, 2011 i just want to ask this simple question let say i have this basic query $place=$_GET['place']; mysql_query("SELECT * FROM table WHERE place='$place'"); this is a nice target for sql injection.. but what if i replace the whole special characters that could be added $replacethis=array("-","`"); $withthis=array("",""); $place=str_replace($replacethis,$withthis,$_GET['place']); mysql_query("SELECT * FROM table WHERE place='$place'"); Are they still able to do the basic sql injection by trying to get the error by adding special character although i didn't use mysql_real_escape_string() ?? then what if i protect the file by changing the setting of the permission to either 644 or 755? thanks in advance Link to comment https://forums.phpfreaks.com/topic/230233-sql-injection-vulnerability/ Share on other sites More sharing options...
kenrbnsn Posted March 10, 2011 Share Posted March 10, 2011 Why don't you want to use mysql_real_escape_string? Ken Link to comment https://forums.phpfreaks.com/topic/230233-sql-injection-vulnerability/#findComment-1185670 Share on other sites More sharing options...
robert_gsfame Posted March 10, 2011 Author Share Posted March 10, 2011 am just asking for new option but although i can prevent this one, there is a lot of hacking method will be used.. Link to comment https://forums.phpfreaks.com/topic/230233-sql-injection-vulnerability/#findComment-1185673 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.