--- Ali Ashrafzadeh <[EMAIL PROTECTED]> wrote: > I'm looking for a function To check SQL Injection in Mysql RDBMS > please tell me if anyone know good function or solution
In my opinion, this is the wrong approach. SQL injection vulnerabilities exist when you use data that the user gave you to create your SQL statement. So, anytime that this happens, simply make absolutely sure that the data you are using from the user fits a very specific format that you are expecting. To be clear: make sure the data that the user submitted only contains the characters you think are valid (don't bother trying to guess malicious characters - you're sure to miss one) and is a valid length. Once you've done this, and your design helps you to make sure that this step can't be bypassed by the user, you're protected against SQL injection. There is also a rather handy document available from NYPHP: http://phundamentals.nyphp.org/PH_storingretrieving.php This is good for describing magic_quotes and mysql_escape_string(). Hope that helps. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming mid-2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
