On 04.06.2007 23:44 CE(S)T, Daevid Vincent wrote: > Thanks for the magazine. I already incorporated a little extra SQL > injection checking into my db.inc.php wrapper... > > //[dv] added to remove all comments (which may help with SQL injections > as well. > $sql = preg_replace("/#.*?[\r\n]/s", '', $sql); > $sql = preg_replace("/--.*?[\r\n]/s", '', $sql); > $sql = preg_replace("@/\*(.*?)\*/@s", '', $sql);
I'm not aware of the context, but I guess you can imagine that this will corrupt any SQL queries that contain "#" or "--" or "/* ... */" inside a string. So I would highly recommend not using those. -- Yves Goergen "LonelyPixel" <[EMAIL PROTECTED]> Visit my web laboratory at http://beta.unclassified.de -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]