Comments on snippet: 'Anti-SQL Injection Function'

fjckls said on 4/19/11

Tue, 19 Apr 2011 23:18:12 GMT

what about this: http://www.w3schools.com/PHP/func_mysql_real_escape_string.asp

timkinnane said on 3/22/11

Tue, 22 Mar 2011 18:02:19 GMT

append != prefix append = suffix prepend = prefix

adkatrit said on 2/18/11

Fri, 18 Feb 2011 05:17:51 GMT

This does not prevent sql injection. It takes care of several special characters, and that's about it. it does nothing to prevent the injection of wildcard characters such as % and _ also consider numerical values in sql terms, they do not need to be enclosed in single or double quotes, so mysql_real_escape_string, does just that. It escapes strings. Notice the function was not called mysql_prevent_injection. This is why sql injection is still in the wild: developers that are trying to find an easy solution to something that is implementation specific and requires attention to detail for mitigation. If you want to prevent or lessen the risk of sql injection, read more about implementing sql injection not about preventing sql injection. You'll find much more useful solutions by reading the blogs or books written by pentesters who are actively trying to defeat these protections.... just saying

toltmanns said on 1/6/11

Thu, 06 Jan 2011 04:20:24 GMT

sarfraznawaz2005 - what else can be done to secure the input to a further degree?

sarfraznawaz2005 said on 2/11/09

Wed, 11 Feb 2009 00:38:26 GMT

With mysql_real_escape_string alone, you are not 100% secure, consider going for function titled "Prevent SQL Injection".

sarfraznawaz2005 said on 2/11/09

Wed, 11 Feb 2009 00:37:46 GMT

With mysql_real_escape_string alone, you are not 100% secure, consider going for function titled "Prevent SQL Injection".

llbbl said on 4/2/08

Wed, 02 Apr 2008 15:32:55 GMT

*append = prefix

llbbl said on 4/2/08

Wed, 02 Apr 2008 15:30:11 GMT

"mysqlrealescapestring() requires that a valid mysql connection"

The "mysql_" appended to the function might have been a clue. :)

philipolson said on 2/27/08

Wed, 27 Feb 2008 17:04:05 GMT

Note: mysqlrealescapestring() requires that a valid mysql connection (mysqlconnect()) exists to work... see the PHP manual for details.

Shocker said on 1/30/08

Wed, 30 Jan 2008 04:35:21 GMT

Please note almost any string values used in mysql queries should be escaped and not all of these values is user input which has escaped characters from magic quotes GPC. (e.g. regular vars from the script)

I'd add an additional optional parameter (bool) which defines, whether the parameter $dirty is coming from a GPC variable or not. :)