Hi,
To prevent SQL injections, I try to neutralize SQL metacharacters.
ex:
Code:
function SQLString($s) {
$s = str_replace("'", "\\s", $s)'
$s = str_replace("\\", "\\\\", $s);
return "'" . $s . "'";
And suppose I use this :
$cat = $GET["category"]; $query = " SELECT Id, Title, Abstract FROM News " . "Where Category=" . $cat;
If a malicious user tries to input 1' UNION SELECT 1, Usr, Pass FROM Usr
it would just pass as plain text like 1 \' UNION SELECT 1, Usr, Pass FROM Usr
[edit]
And if he tried 1\' UNION (...) it would pass 1\\\' UNION (...) to the database server.
[/edit]
Is that safe from SQL injection?
---------------------------(end of broadcast)--------------------------- TIP 8: explain analyze is your friend
