does mysql_real_escape_string always prevent SQL injection

[zander1983]

I've got a market place style site and a friend managed to perform SQL injection on it despite the fact I use mysql_real_escape_string() to escape any dodgy characters. Are there any flaws to this function? I thought it totally eradicated SQL injection..

[Pikachu2000]

You've probably not used it properly, misapplied it, or used another function that negates it. Post the code in question, and let's see what's going on with it.

[PFMaBiSmAd]

mysql_real_escape_string only protects against sql injection in string data, i.e. data enclosed by single-quotes in a query.

 

For things like numerical data (which is not enclosed by single-quotes in a query), you need to validate/cast the data as a number in order to prevent sql injection, because it is possible to form sql that contains no quotes for which escaping the quotes doesn't do anything because there are no quotes to escape.

[zander1983]

For things like numerical data (which is not enclosed by single-quotes in a query), you need to validate/cast the data as a number in order to prevent sql injection, because it is possible to form sql that contains no quotes for which escaping the quotes doesn't do anything because there are no quotes to escape

 

i had not thought about that, this must be the problem, cheers