Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: SQL injection and PHP/MYSQL
From: Brad Fults (bradmipscomputation.com)
Date: Wed Sep 10 2003 - 12:55:34 CDT
After using mysql_escape string to insert data into the database, is there
an equal combination of unescaping one should do when the date is pulled
from the database, or is a stripslashes() all that is necessary?
----- Original Message -----
From: "shimi" <shimishimi.net>
To: "Robert Buljevic" <skeptics1c.org>
Sent: Tuesday, September 09, 2003 2:10 PM
Subject: Re: SQL injection and PHP/MYSQL
> Uhm: http://php.net/mysql-escape-string
> On Tue, 9 Sep 2003, Robert Buljevic wrote:
> > I'm well aware of the sql injection problem when accepting non-trusted
> > However, I'm interested in a more concrete example, precisely the
> > combination.
> > Suppose I have some input text that's passed to mysql for searching via
> > get request.
> > What characters should I allow/disallow?
> > And is it enough to use PHP's addslashes function? If not, why? Could
> > provide any example of input that could cause injection even if it's
> > slashed - always referring to the particular case of PHP/MYSQL?
> > Any info would be appreciated... Thanks!
> > Robert Buljevic
> Best regards,
> "Outlook is a massive flaming horrid blatant security violation, which
> also happens to be a mail reader."
> -=The best way to accelerate a Windows machine is at 9.81 m/s^2=-
> "Sure UNIX is user friendly; it's just picky about who its friends