FUDforum: comp.lang.php » Data sanitation for mysql queries.

Home » Imported messages » comp.lang.php » Data sanitation for mysql queries.

Show: Today's Messages :: Polls :: Message Navigator

Re: Data sanitation for mysql queries. [message #179664 is a reply to message #179663]

Fri, 16 November 2012 21:46

Jerry Stuckle
Messages: 2598
Registered: September 2010

Karma:

Senior Member

On 11/16/2012 2:36 PM, cph wrote:
> On Friday, November 16, 2012 10:56:08 AM UTC-8, Jerry Stuckle wrote:
>> On 11/16/2012 1:10 PM, cph wrote:
>>
>>> FOr sanitizing user input that will be part of a mysql query is addslashes() good enough to prevent mysql injection?
>>
>>>
>>
>>
>>
>> Not at all. You need to validate the data, i.e. integer values are
>>
>> actually integers, dates are valid, etc. You can use bind parameters as
>>
>> Daniel indicated, or you can use mysql_real_escape_string() on strings.
>>
>> Numeric values, dates, etc. do not need further processing if they have
>>
>> been properly validated. But they need to be validated even if you're
>>
>> using bind parameters.
>>
>>
>>

> I am not asking about validation that is a whole other topic. This is
> specifically about sanitation. The problem with real_escape_string is
> from what I have read its not good enough to prevent sql injections.

<Top posting fixed>

The whole purpose of mysql_escape_string() is to prepare strings for
insertion into the database. Where did you read it wasn't good enough
to prevent sql injections?

P.S. Please don't top post.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================

Report message to a moderator

[Message index]

		Data sanitation for mysql queries. By: cph on Fri, 16 November 2012 18:10
		Re: Data sanitation for mysql queries. By: Daniel Pitts on Fri, 16 November 2012 18:49
		Re: Data sanitation for mysql queries. By: Jerry Stuckle on Fri, 16 November 2012 18:56
		Re: Data sanitation for mysql queries. By: cph on Fri, 16 November 2012 19:36
		Re: Data sanitation for mysql queries. By: Jerry Stuckle on Fri, 16 November 2012 21:46
		Re: Data sanitation for mysql queries. By: Peter H. Coffin on Sun, 18 November 2012 01:47

Previous Topic:	How to add dynamic textbox (row) and save to database using PHP
Next Topic:	Scrape dynamically generated hyperlinks

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Thu Nov 28 08:03:01 GMT 2024

Total time taken to generate the page: 0.04601 seconds