Richard Lynch wrote:
On Fri, May 13, 2005 12:51 am, Marek Kilimajer said:
Richard Lynch wrote:
On Thu, May 12, 2005 4:43 pm, Chris Shiflett said:
From me:
The fact that it uses the character set of your current connection to
MySQL means that what your escaping function considers to be a single
qu
On Fri, May 13, 2005 12:51 am, Marek Kilimajer said:
> Richard Lynch wrote:
>> On Thu, May 12, 2005 4:43 pm, Chris Shiflett said:
>>
>>> From me:
>>>The fact that it uses the character set of your current connection to
>>>MySQL means that what your escaping function considers to be a single
>>>
Richard Lynch wrote:
On Thu, May 12, 2005 4:43 pm, Chris Shiflett said:
From me:
The fact that it uses the character set of your current connection to
MySQL means that what your escaping function considers to be a single
quote is exactly what your database considers to be a single quote. If
these t
-- Original message --
From: "Richard Lynch" <[EMAIL PROTECTED]>
> On Thu, May 12, 2005 4:43 pm, Chris Shiflett said:
> > From me:
> > The fact that it uses the character set of your current connection to
> > MySQL means that what your escaping function considers t
On Thu, May 12, 2005 4:43 pm, Chris Shiflett said:
> From me:
> The fact that it uses the character set of your current connection to
> MySQL means that what your escaping function considers to be a single
> quote is exactly what your database considers to be a single quote. If
> these things don'
Richard Lynch wrote:
It's all very well to repeat these pronouncements from on high that
"mysql_real_escape_string is better" but I personally would sure
appreciate somebody who's saying this to say *WHY* it is better, and in
precisely what ways it is different from addslashes and/or magic quotes
w
On Thu, May 12, 2005 1:44 am, Kim Madsen said:
>> -Original Message-
>> From: Richard Lynch [mailto:[EMAIL PROTECTED]
>> Sent: Thursday, May 12, 2005 8:47 AM
>
>> I'd bet a dollar that if the MySQL C Client library changed what needs
>> escaping, addslashes would change with it.
>
> Ehhh? I
I couldn't tell you the technicals of it, but just from the php documentation:
" This function must always (with few exceptions) be used to make data
safe before sending a query to MySQL."
On 5/12/05, Richard Lynch <[EMAIL PROTECTED]> wrote:
> On Thu, May 12, 2005 12:39 pm, James Williams said:
>
On Thu, May 12, 2005 12:39 pm, James Williams said:
> I'm pretty sure that, in order to use mysql_real_escape_string() you
> must have magic quotes off or use stripslashes first... the same as
> addslashes, so it should work if you just search and replace. Don't
> quote me on that though
Well, ye
I'm pretty sure that, in order to use mysql_real_escape_string() you
must have magic quotes off or use stripslashes first... the same as
addslashes, so it should work if you just search and replace. Don't
quote me on that though
On 5/12/05, Richard Lynch <[EMAIL PROTECTED]> wrote:
> On Wed, May 1
> -Original Message-
> From: Richard Lynch [mailto:[EMAIL PROTECTED]
> Sent: Thursday, May 12, 2005 8:47 AM
> I'd bet a dollar that if the MySQL C Client library changed what needs
> escaping, addslashes would change with it.
Ehhh? I think not. Let´s let a mindgame (can´t spell hypo..what
eived a message from a guy that
> > told me my site is vulnerable to mysql injections. I do not know how can
> > i prevent this. The server is not configured or it's all about the
> > script?
> >
> >
> > - Original Message -
> > From: "Bostjan Skufc
On Wed, May 11, 2005 8:27 pm, James Williams said:
> On 5/11/05, Richard Lynch <[EMAIL PROTECTED]> wrote:
>> Is mysql_real_escape_string *DIFFERENT* in some incredibly huge secure
>> way
>> that I want to stop working on all my current projects to go re-write
>> the
>> 10,000,000 lines of code?
>
>
On Wed, May 11, 2005 8:58 pm, Jason Wong said:
> Well put it this way, addslashes() was not meant to make data "safe" for
> mysql, it just happened to work. Now there is a better/official/whatever
> alternative why not use it?
Actually, unless I'm very much mistaken about why addslashes() was
writ
On Thursday 12 May 2005 09:57, Richard Lynch wrote:
> On Wed, May 11, 2005 5:23 pm, Jason Wong said:
> > But now that mysql_real_escape_string() is available that is what you
> > ought to use.
>
> But are they REALLY different.
mysql_real_escape_string() is most certainly different from
mysql_esc
On 5/11/05, Richard Lynch <[EMAIL PROTECTED]> wrote:
> Is mysql_real_escape_string *DIFFERENT* in some incredibly huge secure way
> that I want to stop working on all my current projects to go re-write the
> 10,000,000 lines of code?
2 words: Search & Replace.
--
PHP General Mailing List (http://
On Wed, May 11, 2005 5:15 am, [EMAIL PROTECTED] said:
> I have a site and the other days i received a message from a guy that told
> me my site is vulnerable to mysql injections. I do not know how can i
> prevent this. The server is not configured or it's all about the script?
It should also be no
On Wed, May 11, 2005 5:23 pm, Jason Wong said:
> But now that mysql_real_escape_string() is available that is what you
> ought to use.
But are they REALLY different.
Or, put it this way:
Suppose I have 10,000,000 lines of code that have Magic Quotes on, which
calls addslashes automatically, and
On Thursday 12 May 2005 06:30, -k. wrote:
> I have a related question, many of you have suggested
> using addslashes on your variables to prevent SQL
> injections, but is it safer to use
> mysql_real_escape_string (or mysql_escape_string)?
> What is the benefit / cost of using
> mysql_real_escape_s
I have a related question, many of you have suggested
using addslashes on your variables to prevent SQL
injections, but is it safer to use
mysql_real_escape_string (or mysql_escape_string)?
What is the benefit / cost of using
mysql_real_escape_string rather than addslashes? When
using Postgres i a
> - Original Message -
> From: "Bostjan Skufca @ domenca.com" <[EMAIL PROTECTED]>
> To:
> Sent: Wednesday, May 11, 2005 1:50 PM
> Subject: Re: [PHP] MySql injections
>
> > Probably you mean about "prevening mysql injections" - or not? :)
y site is vulnerable to mysql injections. I do not know how can i
> prevent this. The server is not configured or it's all about the script?
>
>
> - Original Message -
> From: "Bostjan Skufca @ domenca.com" <[EMAIL PROTECTED]>
> To:
> Sent: Wed
Hey,
I had the same questions a little while back, and from the advise i got on
this list
I checked out the PEAR:DB class and ADODB...I went with the ADODB solution
and
have not regretted it since.
Check both of them out for your needs.
Cheers,
Ryan
On 5/11/2005 12:50:14 PM, Bostjan Skufca @ do
[snip]
I have a site and the other days i received a message from a guy that
told
me my site is vulnerable to mysql injections. I do not know how can i
prevent this. The server is not configured or it's all about the script?
[/snip]
PHP Security - http://www.shiflett.org
--
PHP General Mailing
Read Chris' article here: http://shiflett.org/articles/security-corner-apr2004
This should explain everything to you - and yes it's down to the
scripts you run.
Chris R
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
m" <[EMAIL PROTECTED]>
To:
Sent: Wednesday, May 11, 2005 1:50 PM
Subject: Re: [PHP] MySql injections
Probably you mean about "prevening mysql injections" - or not? :)
Bostjan
On Wednesday 11 May 2005 11:38, [EMAIL PROTECTED] wrote:
Hi,
This is not the proper list to put t
> Hi,
> This is not the proper list to put this question but i hope
> you can help me.
> Does anyone know a good tutorial about mysql injections?
>
> Thanks a lot for your help
http://phpsec.org
HTH,
Mikey
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.p
Probably you mean about "prevening mysql injections" - or not? :)
Bostjan
On Wednesday 11 May 2005 11:38, [EMAIL PROTECTED] wrote:
> Hi,
> This is not the proper list to put this question but i hope you can help
> me. Does anyone know a good tutorial about mysql injections?
>
> Thanks a lot for
28 matches
Mail list logo
