On Fri, May 13, 2005 12:51 am, Marek Kilimajer said:
Richard Lynch wrote:
On Thu, May 12, 2005 4:43 pm, Chris Shiflett said:
From me:
The fact that it uses the character set of your current connection to
MySQL means that what your escaping function considers to be a single
quote is exactly
Richard Lynch wrote:
On Fri, May 13, 2005 12:51 am, Marek Kilimajer said:
Richard Lynch wrote:
On Thu, May 12, 2005 4:43 pm, Chris Shiflett said:
From me:
The fact that it uses the character set of your current connection to
MySQL means that what your escaping function considers to be a single
Richard Lynch wrote:
On Thu, May 12, 2005 4:43 pm, Chris Shiflett said:
From me:
The fact that it uses the character set of your current connection to
MySQL means that what your escaping function considers to be a single
quote is exactly what your database considers to be a single quote. If
these
On Wed, May 11, 2005 8:58 pm, Jason Wong said:
Well put it this way, addslashes() was not meant to make data safe for
mysql, it just happened to work. Now there is a better/official/whatever
alternative why not use it?
Actually, unless I'm very much mistaken about why addslashes() was
written,
On Wed, May 11, 2005 8:27 pm, James Williams said:
On 5/11/05, Richard Lynch [EMAIL PROTECTED] wrote:
Is mysql_real_escape_string *DIFFERENT* in some incredibly huge secure
way
that I want to stop working on all my current projects to go re-write
the
10,000,000 lines of code?
2 words:
can
i prevent this. The server is not configured or it's all about the
script?
- Original Message -
From: Bostjan Skufca @ domenca.com [EMAIL PROTECTED]
To: php-general@lists.php.net
Sent: Wednesday, May 11, 2005 1:50 PM
Subject: Re: [PHP] MySql injections
-Original Message-
From: Richard Lynch [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 12, 2005 8:47 AM
I'd bet a dollar that if the MySQL C Client library changed what needs
escaping, addslashes would change with it.
Ehhh? I think not. Let´s let a mindgame (can´t spell hypo..whatever
I'm pretty sure that, in order to use mysql_real_escape_string() you
must have magic quotes off or use stripslashes first... the same as
addslashes, so it should work if you just search and replace. Don't
quote me on that though
On 5/12/05, Richard Lynch [EMAIL PROTECTED] wrote:
On Wed, May 11,
On Thu, May 12, 2005 12:39 pm, James Williams said:
I'm pretty sure that, in order to use mysql_real_escape_string() you
must have magic quotes off or use stripslashes first... the same as
addslashes, so it should work if you just search and replace. Don't
quote me on that though
Well, yes,
I couldn't tell you the technicals of it, but just from the php documentation:
This function must always (with few exceptions) be used to make data
safe before sending a query to MySQL.
On 5/12/05, Richard Lynch [EMAIL PROTECTED] wrote:
On Thu, May 12, 2005 12:39 pm, James Williams said:
I'm
On Thu, May 12, 2005 1:44 am, Kim Madsen said:
-Original Message-
From: Richard Lynch [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 12, 2005 8:47 AM
I'd bet a dollar that if the MySQL C Client library changed what needs
escaping, addslashes would change with it.
Ehhh? I think not.
Richard Lynch wrote:
It's all very well to repeat these pronouncements from on high that
mysql_real_escape_string is better but I personally would sure
appreciate somebody who's saying this to say *WHY* it is better, and in
precisely what ways it is different from addslashes and/or magic quotes
On Thu, May 12, 2005 4:43 pm, Chris Shiflett said:
From me:
The fact that it uses the character set of your current connection to
MySQL means that what your escaping function considers to be a single
quote is exactly what your database considers to be a single quote. If
these things don't
-- Original message --
From: Richard Lynch [EMAIL PROTECTED]
On Thu, May 12, 2005 4:43 pm, Chris Shiflett said:
From me:
The fact that it uses the character set of your current connection to
MySQL means that what your escaping function considers to be a
Hi,
This is not the proper list to put this question but i hope you can help me.
Does anyone know a good tutorial about mysql injections?
Thanks a lot for your help
Probably you mean about prevening mysql injections - or not? :)
Bostjan
On Wednesday 11 May 2005 11:38, [EMAIL PROTECTED] wrote:
Hi,
This is not the proper list to put this question but i hope you can help
me. Does anyone know a good tutorial about mysql injections?
Thanks a lot for your
Hi,
This is not the proper list to put this question but i hope
you can help me.
Does anyone know a good tutorial about mysql injections?
Thanks a lot for your help
http://phpsec.org
HTH,
Mikey
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit:
PROTECTED]
To: php-general@lists.php.net
Sent: Wednesday, May 11, 2005 1:50 PM
Subject: Re: [PHP] MySql injections
Probably you mean about prevening mysql injections - or not? :)
Bostjan
On Wednesday 11 May 2005 11:38, [EMAIL PROTECTED] wrote:
Hi,
This is not the proper list to put this question
Read Chris' article here: http://shiflett.org/articles/security-corner-apr2004
This should explain everything to you - and yes it's down to the
scripts you run.
Chris R
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[snip]
I have a site and the other days i received a message from a guy that
told
me my site is vulnerable to mysql injections. I do not know how can i
prevent this. The server is not configured or it's all about the script?
[/snip]
PHP Security - http://www.shiflett.org
--
PHP General Mailing
Hey,
I had the same questions a little while back, and from the advise i got on
this list
I checked out the PEAR:DB class and ADODB...I went with the ADODB solution
and
have not regretted it since.
Check both of them out for your needs.
Cheers,
Ryan
On 5/11/2005 12:50:14 PM, Bostjan Skufca @
this. The server is not configured or it's all about the script?
- Original Message -
From: Bostjan Skufca @ domenca.com [EMAIL PROTECTED]
To: php-general@lists.php.net
Sent: Wednesday, May 11, 2005 1:50 PM
Subject: Re: [PHP] MySql injections
Probably you mean about prevening mysql
@lists.php.net
Sent: Wednesday, May 11, 2005 1:50 PM
Subject: Re: [PHP] MySql injections
Probably you mean about prevening mysql injections - or not? :)
Bostjan
On Wednesday 11 May 2005 11:38, [EMAIL PROTECTED] wrote:
Hi,
This is not the proper list to put this question but i hope you can
I have a related question, many of you have suggested
using addslashes on your variables to prevent SQL
injections, but is it safer to use
mysql_real_escape_string (or mysql_escape_string)?
What is the benefit / cost of using
mysql_real_escape_string rather than addslashes? When
using Postgres i
On Thursday 12 May 2005 06:30, -k. wrote:
I have a related question, many of you have suggested
using addslashes on your variables to prevent SQL
injections, but is it safer to use
mysql_real_escape_string (or mysql_escape_string)?
What is the benefit / cost of using
mysql_real_escape_string
On Wed, May 11, 2005 5:23 pm, Jason Wong said:
But now that mysql_real_escape_string() is available that is what you
ought to use.
But are they REALLY different.
Or, put it this way:
Suppose I have 10,000,000 lines of code that have Magic Quotes on, which
calls addslashes automatically, and I
On Wed, May 11, 2005 5:15 am, [EMAIL PROTECTED] said:
I have a site and the other days i received a message from a guy that told
me my site is vulnerable to mysql injections. I do not know how can i
prevent this. The server is not configured or it's all about the script?
It should also be
On 5/11/05, Richard Lynch [EMAIL PROTECTED] wrote:
Is mysql_real_escape_string *DIFFERENT* in some incredibly huge secure way
that I want to stop working on all my current projects to go re-write the
10,000,000 lines of code?
2 words: Search Replace.
--
PHP General Mailing List
On Thursday 12 May 2005 09:57, Richard Lynch wrote:
On Wed, May 11, 2005 5:23 pm, Jason Wong said:
But now that mysql_real_escape_string() is available that is what you
ought to use.
But are they REALLY different.
mysql_real_escape_string() is most certainly different from
29 matches
Mail list logo