neoform Posted November 17, 2006 Share Posted November 17, 2006 Hey, I was just wondering, if I have magic quotes turned on, is this vulnerable to SQL injection attacks?[code]if (isset($_GET['i'])) $i=$_GET['i'];$query = "SELECT * FROM table WHERE username = '$i'";[/code]If so, what could be done? Link to comment https://forums.phpfreaks.com/topic/27623-sql-injection-protection/ Share on other sites More sharing options...
Orio Posted November 17, 2006 Share Posted November 17, 2006 Basicly, yes.But i suggest you to run this function on every input-[code]<?phpfunction sql_quote($value) { if(get_magic_quotes_gpc()) { $value = stripslashes($value); } $value = mysql_real_escape_string($value); return $value;}?>[/code]Orio. Link to comment https://forums.phpfreaks.com/topic/27623-sql-injection-protection/#findComment-126335 Share on other sites More sharing options...
neoform Posted November 17, 2006 Author Share Posted November 17, 2006 See, that's what i normally do, but i have yet to find an example of what can actually be done if i don't do it.. :P Is it really worth the extra processing? Link to comment https://forums.phpfreaks.com/topic/27623-sql-injection-protection/#findComment-126339 Share on other sites More sharing options...
roopurt18 Posted November 17, 2006 Share Posted November 17, 2006 Yes. Link to comment https://forums.phpfreaks.com/topic/27623-sql-injection-protection/#findComment-126343 Share on other sites More sharing options...
neoform Posted November 17, 2006 Author Share Posted November 17, 2006 so, basically this is all a conspiracy to get everyone to use mysql_real_escape_string isn't it? I seee.............. Link to comment https://forums.phpfreaks.com/topic/27623-sql-injection-protection/#findComment-126352 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.