On 24/01/2008, Jochem Maas <[EMAIL PROTECTED]> wrote:
> > Which basically is the same as a simple mysql_real_escape_string? In
> > other words, mysql_real_escape_string itself is safe from SQL
> > injection?
>
> not exactly - it assumes you will use the value as a quoted string in a query.
>
> $s = clean_mysql("foo -- bar ; ' qux")
> $q = "INSERT INTO foo (bar) VALUES ('$s')";
Ah, we've gotten to the meat. So long as there as single quotes around
the data that has gone through mysql_real_escape_string there is no
danger of SQL injection? So this is safe:
mysql_query("
INSERT INTO
foo (bar)
VALUES (
'".mysql_real_escape_string($evilString)."'
)");
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
