[EMAIL PROTECTED] writes: > Hello, I have a quick question: To use a custom solution for > inhibiting sql injection attacks and not a database specific > solution like mysql_real_escape_string() > > http://php.net/manual/en/function.mysql-real-escape-string.php > > ... that will run on any database, not just MySql, would the > following be a viable solution: > > a. addslashes() to all variables and
I used the Adodb (adodb.sourceforge.net) class for working with the database. It could work to a bunch of DBs (mysql, oracle, pgsql). The most interesting bit about it was that it tool care of escaping the strings before putting the data in the database. Each db had its own backend, which took care of escaping characters. For example, if you want to insert "John's Old Shoppe" into MS access, it has to go in like "John''s Old Shoppe" and not "John\'s Old Shoppe". I think Pear::DB also provides this functionality. > b. remove specific unwanted characters from input including: > > -- [comment sign in SQL] > ' [single quote] > > It is possible to just destroy the unwanted characters in a login > form and prohibit use of those characters in username and password > fields. > If you prohibit the use of some characters in the password field, your users will be forced to use weak passwords. In this case, your best bet is to insert the md5sum of the users password instead of the cleartext password. -- Raj Shekhar Y! : Operations Engineer MySQL DBA, programmer and slacker Y!IM : lunatech3007 home : http://rajshekhar.net blog : http://rajshekhar.net/blog/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php