robert_gsfame Posted March 10, 2011 Share Posted March 10, 2011 i just want to ask this simple question let say i have this basic query $place=$_GET['place']; mysql_query("SELECT * FROM table WHERE place='$place'"); this is a nice target for sql injection.. but what if i replace the whole special characters that could be added $replacethis=array("-","`"); $withthis=array("",""); $place=str_replace($replacethis,$withthis,$_GET['place']); mysql_query("SELECT * FROM table WHERE place='$place'"); Are they still able to do the basic sql injection by trying to get the error by adding special character although i didn't use mysql_real_escape_string() ?? then what if i protect the file by changing the setting of the permission to either 644 or 755? thanks in advance Quote Link to comment Share on other sites More sharing options...
kenrbnsn Posted March 10, 2011 Share Posted March 10, 2011 Why don't you want to use mysql_real_escape_string? Ken Quote Link to comment Share on other sites More sharing options...
robert_gsfame Posted March 10, 2011 Author Share Posted March 10, 2011 am just asking for new option but although i can prevent this one, there is a lot of hacking method will be used.. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.