This reply has two purposes. Firstly, a small suggestion (modest compared to the others which will follow, no doubt!) - check out mysql_escape_string() - this may be useful to you.
Secondly, a further question: In addition to protecting against SQL Injection, has anyone here experimented with detecting and recording attempts at injection? I've been pondering checking strings which come directly from user input for sql keywords (and possibly using regexps to check for potential SQL Syntax fragments), but before I begin, I thought asking would benefit me, if someone with more experience has already tried this... Thanks, Matt -----Original Message----- From: Tariq Murtaza [mailto:[EMAIL PROTECTED] Sent: 19 March 2004 18:41 To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Guru's advice needed ........[Security: SQL injection] *Dear Friends!* Can someone shed some light on how "SQL injection" attack occurs when *magic_quotes_gpc *is"ON" and how it prevents when its "OFF". To my understanding apostrophise are escaped automatically in POST/GET/COOKIE when its ON, so how it tends towards SQL Injection. Someone suggested to keep magic_quotes_qpc OFF through .htaccess file and use following line of codes to prevent attacks at start of the file... <?php /** * Checks for magic_quotes_gpc = On and strips them from incoming * requests if necessary */ if (get_magic_quotes_gpc()) { $_GET = array_map('stripslashes', $_GET); $_POST = array_map('stripslashes', $_POST); $_COOKIE = array_map('stripslashes', $_COOKIE); } ?> But unfortunately it does not work for nested POST requests. do anyone have better idea? Secondly why we have to stripslashes while DB (mysql for example) is doing it for us on execution and another question arises doesn't it prevent from SQL injection attack when apostrophise are escaped in query. *What is the best practices handling 'quotation marks' in input string and how to prevent SQL injection. *Looking forward for some advice from panel of experts on forum. Thanks and have a nice day!* *Cheers! *Tariq* -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
