In article <[EMAIL PROTECTED]>, Alex Turner <[EMAIL PROTECTED]> writes:
> delete * from user; > select * from table where my_id=$in_value > Am > I just smoking crack here, or does this approach have some merit? > The former :-) The correct defense against SQL injection is proper > escaping, not quoting. How about $in_value = '1''; delete from > user'? > This would be escaped by magic_quotes resulting in: > select * from table where my_id='\'1\'\'; delete from user \'', which would > result in an error, and a failed attack would it not, which would be a good > thing? If your "magic_quotes" are magic enough to not blindly surrounding the argument in quotes, but also escape dangerous chars like "'" inside the argument, then you're safe. > I tried to create this scenario, but in a trasactional environment, it > executes, but blew the transation so the data never committed as the select > query generated an error with the insert on the end... ... and that's exactly what it should do. You just need to catch the error and generate a meaningful error message. ---------------------------(end of broadcast)--------------------------- TIP 6: explain analyze is your friend
