bypassing mysql_escape?

[Monkuar]

i use mysql escape and intval for my integers

 

but i read this article

 

http://www.itshacked.com/350/bypassing-php-security-mysql_escape_string-while-sql-injection-attacks-is-possible.html

 

shows that people can bypass t he mysql_escape, but that article is only showing if they dont intval there ID= XXXX

 

is it true or bogus?

 

what are some more security measures can I take to help reduce the risk of sql injection?

 

I use intval and mysql_escape_string, what else?

[Pikachu2000]

Are you using mysql_escape_string(), which has been deprecated since php 4.3.0, or mysql_real_escape_string()? There's a difference, and you should be using the _real_ function.

[Monkuar]

Are you using mysql_escape_string(), which has been deprecated since php 4.3.0, or mysql_real_escape_string()? There's a difference, and you should be using the _real_ function.

 

im using

 

function escape($str)
{
	return is_array($str) ? '' : mysqli_real_escape_string($this->link_id, $str);
}

 

then I do $db->escape($variable) for whatever variable before enters db

 

good?

[Pikachu2000]

For that part, yes. For numeric values, they need to be at the least cast as the appropriate data type. Validating them doesn't hurt either, so you can tell your user about any errors and let them correct mistakes.

[Monkuar]

For that part, yes. For numeric values, they need to be at the least cast as the appropriate data type. Validating them doesn't hurt either, so you can tell your user about any errors and let them correct mistakes.

 

Love it

 

thank you