I would disagree on the use of mysql_real_escape_string(). The use of
placeholders is much safer from a maintenance and 'oops look I typoed it'
perspective.
On 04/06/07, Jon Ribbens <[EMAIL PROTECTED]> wrote:
On Mon, Jun 04, 2007 at 02:44:25PM -0700, Daevid Vincent wrote:
> Thanks for the magazine. I already incorporated a little extra SQL
> injection checking into my db.inc.php wrapper...
>
> //[dv] added to remove all comments (which may help with SQL injections
> as well.
> $sql = preg_replace("/#.*?[\r\n]/s", '', $sql);
> $sql = preg_replace("/--.*?[\r\n]/s", '', $sql);
> $sql = preg_replace("@/\*(.*?)\*/@s", '', $sql);
Um, what? Both that and the methods described in the magazine are
completely wrong. You use mysql_real_ecape_string(), that's it.
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
