-
March 11th, 2008, 03:23 AM
#11
Member
I find that mysql_real_escape_string works the best as no matter what they put in or how you escape things it's not going to break the query.
The other thing, is to surround the column name with ticks which means that it accepts both the int and string of a number e.g
$where = "where PARENT_ID='$parent_id' and CHILD_ID='$child_id' ";
Cheers,
Niggles
-
March 11th, 2008, 03:56 AM
#12
that is only part of the function anyways there are a bunch of functions in an includes function that call each other to build the queries and inserts and they are all cleaned going in and coming out
-
March 19th, 2008, 03:53 PM
#13
im not a big fan of sql real escape...we know that the var should not have any sql...a smple regx should tell us if there is any non expected char, just discard the bad input with a nasty response.
Who is more trustworthy then all of the gurus or Buddha’s?
-
March 20th, 2008, 02:36 AM
#14
Member
im not a big fan of sql real escape...we know that the var should not have any sql..
I find it's useful for letting characters such as ' or " be entered into comment fields or in CMS backend without risk of terminating the SQL command.
Similar Threads
-
By HTRegz in forum The Security Tutorials Forum
Replies: 12
Last Post: January 28th, 2006, 08:02 PM
-
By embro1001 in forum Other Tutorials Forum
Replies: 0
Last Post: July 16th, 2005, 05:25 PM
-
By nightcat in forum The Security Tutorials Forum
Replies: 9
Last Post: May 28th, 2005, 02:47 AM
-
By journy101 in forum Newbie Security Questions
Replies: 1
Last Post: May 1st, 2003, 06:16 AM
-
By jethro in forum Other Tutorials Forum
Replies: 5
Last Post: November 3rd, 2002, 03:09 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|