On 10/17/2003 12:15 AM, Yann Larrivee wrote:
Hi i read many thing on sql injection but i just cant sumarize all the information.
Most site (PHPadvisory.com, phpsecure.info, other found on google) dont talk to mutch on how to prevent SQL injection.
At some place, they mentionned having a badword list, but really in a product description we can have about anyword (select, insert, update, ...) SO the badword liste is not really the solution i believe.
I did the fallowing single quoted all the queries, parameters (even if numerical), did a mysql_real_eascape_string on all parameters befor they are passed to mysql.
Also my Queries are always fairly long and no queries and by a parameter (at least i try not too)
Do you guys have any other tips ?
You may want to take a look at these classes for detection and prevention of SQL injection exploits.
Class: db_escape http://www.phpclasses.org/aclass
Class: class_sql_inject http://www.phpclasses.org/class_sql_inject
--
Regards, Manuel Lemos
Free ready to use OOP components written in PHP http://www.phpclasses.org/
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
