On 04.06.2007 23:44 CE(S)T, Daevid Vincent wrote:
> Thanks for the magazine. I already incorporated a little extra SQL
> injection checking into my db.inc.php wrapper...
>
> //[dv] added to remove all comments (which may help with SQL injections
> as well.
> $sql = preg_replace("/#.*?[\r\n]/s", '', $sql);
> $sql = preg_replace("/--.*?[\r\n]/s", '', $sql);
> $sql = preg_replace("@/\*(.*?)\*/@s", '', $sql);
I'm not aware of the context, but I guess you can imagine that this will
corrupt any SQL queries that contain "#" or "--" or "/* ... */" inside a
string. So I would highly recommend not using those.
--
Yves Goergen "LonelyPixel" <[EMAIL PROTECTED]>
Visit my web laboratory at http://beta.unclassified.de
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
