March 11th, 2008, 03:23 AM
I find that mysql_real_escape_string works the best as no matter what they put in or how you escape things it's not going to break the query.
The other thing, is to surround the column name with ticks which means that it accepts both the int and string of a number e.g
$where = "where PARENT_ID='$parent_id' and CHILD_ID='$child_id' ";
March 11th, 2008, 03:56 AM
that is only part of the function anyways there are a bunch of functions in an includes function that call each other to build the queries and inserts and they are all cleaned going in and coming out
March 19th, 2008, 03:53 PM
im not a big fan of sql real escape...we know that the var should not have any sql...a smple regx should tell us if there is any non expected char, just discard the bad input with a nasty response.
Who is more trustworthy then all of the gurus or Buddha’s?
March 20th, 2008, 02:36 AM
I find it's useful for letting characters such as ' or " be entered into comment fields or in CMS backend without risk of terminating the SQL command.
im not a big fan of sql real escape...we know that the var should not have any sql..
By HTRegz in forum The Security Tutorials Forum
Last Post: January 28th, 2006, 07:02 PM
By embro1001 in forum Other Tutorials Forum
Last Post: July 16th, 2005, 05:25 PM
By nightcat in forum The Security Tutorials Forum
Last Post: May 28th, 2005, 02:47 AM
By journy101 in forum Newbie Security Questions
Last Post: May 1st, 2003, 06:16 AM
By jethro in forum Other Tutorials Forum
Last Post: November 3rd, 2002, 02:09 PM