neoform Posted November 17, 2006 Share Posted November 17, 2006 Hey, I was just wondering, if I have magic quotes turned on, is this vulnerable to SQL injection attacks?[code]if (isset($_GET['i'])) $i=$_GET['i'];$query = "SELECT * FROM table WHERE username = '$i'";[/code]If so, what could be done? Quote Link to comment Share on other sites More sharing options...
Orio Posted November 17, 2006 Share Posted November 17, 2006 Basicly, yes.But i suggest you to run this function on every input-[code]<?phpfunction sql_quote($value) { if(get_magic_quotes_gpc()) { $value = stripslashes($value); } $value = mysql_real_escape_string($value); return $value;}?>[/code]Orio. Quote Link to comment Share on other sites More sharing options...
neoform Posted November 17, 2006 Author Share Posted November 17, 2006 See, that's what i normally do, but i have yet to find an example of what can actually be done if i don't do it.. :P Is it really worth the extra processing? Quote Link to comment Share on other sites More sharing options...
roopurt18 Posted November 17, 2006 Share Posted November 17, 2006 Yes. Quote Link to comment Share on other sites More sharing options...
neoform Posted November 17, 2006 Author Share Posted November 17, 2006 so, basically this is all a conspiracy to get everyone to use mysql_real_escape_string isn't it? I seee.............. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.