On Thu, May 7, 2009 at 4:28 PM, Shawn McKenzie wrote:
> RTFP! ;-)
>
> He has no idea what DB will be used.
Wouldn't that be a better argument -for- using PDO? :)
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Eric Butera wrote:
> On Thu, May 7, 2009 at 9:41 AM, Igor Escobar wrote:
>> Ok guys, thanks.
>>
>>
>> Regards,
>> Igor Escobar
>> Systems Analyst & Interface Designer
>>
>> --
>>
>> Personal Blog
>> ~ blog.igorescobar.com
>> Online Portifolio
>> ~ www.igorescobar.com
>> Twitter
>> ~ @igorescobar
>
On Thu, May 7, 2009 at 9:41 AM, Igor Escobar wrote:
> Ok guys, thanks.
>
>
> Regards,
> Igor Escobar
> Systems Analyst & Interface Designer
>
> --
>
> Personal Blog
> ~ blog.igorescobar.com
> Online Portifolio
> ~ www.igorescobar.com
> Twitter
> ~ @igorescobar
>
>
>
>
>
> On Thu, May 7, 2009 at 7:
Ok guys, thanks.
Regards,
Igor Escobar
Systems Analyst & Interface Designer
--
Personal Blog
~ blog.igorescobar.com
Online Portifolio
~ www.igorescobar.com
Twitter
~ @igorescobar
On Thu, May 7, 2009 at 7:32 AM, Jan G.B. wrote:
> What about declare, cast, unhex, exec etc.?
> You Replace e
What about declare, cast, unhex, exec etc.?
You Replace everything with "" isn't so good, I believe. Others
mentiond it before, that *, =, select, from ETC. are valid words and
characters in an other context.
Anayse some attacks before trying to defend them. Injections can be
heavily db-dependent,
Andrew Ballard wrote:
> On Wed, May 6, 2009 at 2:25 PM, Shawn McKenzie wrote:
>> Igor Escobar wrote:
>>> Yeah yeah, i understood that, but, the point is... i sad previously, my
>>> function is not tied to any database.
>>>
>>> Is a generic function, i dont know who be use this, so i don't know, wh
On Wed, May 6, 2009 at 2:25 PM, Shawn McKenzie wrote:
> Igor Escobar wrote:
>> Yeah yeah, i understood that, but, the point is... i sad previously, my
>> function is not tied to any database.
>>
>> Is a generic function, i dont know who be use this, so i don't know, what is
>> your data base so, i
Please reply all.
> Do you test with associative arrays?
>
Yes.
Array
(
[test] => some stuff \"here\"
[test_array] => Array
(
[a] => a\"a
[0] => b\'b
[c] => Array
(
[x] => x\"x
[0] => y\'y
Igor Escobar wrote:
> Yeah yeah, i understood that, but, the point is... i sad previously, my
> function is not tied to any database.
>
> Is a generic function, i dont know who be use this, so i don't know, what is
> your data base so, i can't use functions like mysql_real_scape_string etc...
The
Igor Escobar wrote:
> hun...by the way I forgot to mention, I am Brazilian and here in Brazil
> these words are not common ...
Yes, but you can reuse your function even if you start accepting english
posts/comments, etc. You don't want this function to be specific to
your app or data because
Yeah yeah, i understood that, but, the point is... i sad previously, my
function is not tied to any database.
Is a generic function, i dont know who be use this, so i don't know, what is
your data base so, i can't use functions like mysql_real_scape_string etc...
Regards,
Igor Escobar
Systems An
2009/5/6 Igor Escobar :
> hun...by the way I forgot to mention, I am Brazilian and here in Brazil
> these words are not common ...
Igor,
I'm brazilian too, but that is not the point. Deny the use of *any*
word as input in your app is unnecessary. The problem that you're
trying to solve, has b
Now i realize... i sent only to the Shawn the modified functions... here
goes:
function _antiSqlInjection($Target){
$sanitizeRules =
array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP TABLE','SHOW
TABLES','*','--','=');
foreach($Target as $key => $value):
if(is_array($valu
hun...by the way I forgot to mention, I am Brazilian and here in Brazil
these words are not common ...
That is a recursive function and i can use array_map becouse i some cases we
obtain arrays of arrays and that will generate a error.
Regards,
Igor Escobar
Systems Analyst & Interface Design
Igor Escobar wrote:
> Hunnn...
>
> So, what do you think now?
>
> function _antiSqlInjection($Target){
> $sanitizeRules =
> array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP
> TABLE','SHOW TABLES','*','--','=');
> foreach($Target as $key => $value):
> if(is_array($value)):
Igor Escobar wrote:
> Hi folks,
> Someone know how i can improve this function to protect my envairounment
> vars of sql injection attacks.
>
> that is the function i use to do this, but, some people think is not enough:
>
> * @uses $_REQUEST= _antiSqlInjection($_REQUEST);
> * @uses $_POST = _a
16 matches
Mail list logo
