Jim Lucas wrote:
Not to refute the above advice one bit (not to mention oppose the arguments
against escaping in general) ...  but just curious - can anyone demo a hack
that effectively injects past mysqli_real_escape_string(), while using utf-8
?  It may just be a matter of time (or already?) before
mysqli_real_escape_string is *proven* ineffective (w/utf-8) ... but here I am
just attempting to gather facts.

Ah, but what if I use sqlite or postgres?

Or Firebird ;)

IMHO, the discussion needs to be a the best way to prevent SQL injection across
all possible DB types.  Not just mysql.

The main thing to avoid is building queries from elements that are directly loaded from the form inputs. While it is difficult to build sort elements for queries that use parameters, having a mechanism like ADOdb's datadict where one can filter SQL based on the identified field names does make life easier.

While the problems of dealing with student names such as 'Delete from student' are easily solved by only using them in parameter arrays.

A few simple basics cover the vast majority of traditional SQL injection 

Lester Caine - G8HFL
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk//
Firebird - http://www.firebirdsql.org/index.php

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to