DarkSamurai <[EMAIL PROTECTED]> writes:
> And suppose I use this :
>
> > $cat = $GET["category"];
> > $query = " SELECT Id, Title, Abstract FROM News " . "Where Category=" . $cat;
>From a security point of view you're even better off using something like
$dbh->query("SELECT id, title, abstract
function SQLString($s) {
$s = str_replace("'", "\\s", $s)'
$s = str_replace("\\", "", $s);
return "'" . $s . "'";
Have you looked at the function PQescapeString() in the libpq library?
Using that would seem to be a simpler way of solving this problem.
If he's using PHP, he should be
On Thu, 2004-07-15 at 23:02, DarkSamurai wrote:
> Hi,
>
> To prevent SQL injections, I try to neutralize SQL metacharacters.
>
> ex:
>
> Code:
>
>
> > function SQLString($s) {
> > $s = str_replace("'", "\\s", $s)'
> > $s = str_replace("\\", "", $s);
> > return "'" . $s . "'";
Hi,
To prevent SQL injections, I try to neutralize SQL metacharacters.
ex:
Code:
function SQLString($s) {
$s = str_replace("'", "\\s", $s)'
$s = str_replace("\\", "", $s);
return "'" . $s . "'";
And suppose I use this :
$cat = $GET["category"];
$query = " SELECT Id, Title, Abstrac
