Yes, you are correct. In a cruel, ironic twist, that actually bit me in the ass, as it turns out we tried to import some "HTML" output from MS Word, which adds all kinds of crazy XHTML comment tag thingys that look like:
<!--[if gte mso 9]> <!--[if !mso]> <![endif]--> Etc. *sigh* > -----Original Message----- > From: Yves Goergen [mailto:[EMAIL PROTECTED] > Sent: Saturday, June 09, 2007 4:34 AM > To: Daevid Vincent > Cc: 'B. Keith Murphy'; 'MySQL General' > Subject: Re: MySQL Magazine - Issue 1 available NOW!!!! > > On 04.06.2007 23:44 CE(S)T, Daevid Vincent wrote: > > Thanks for the magazine. I already incorporated a little extra SQL > > injection checking into my db.inc.php wrapper... > > > > //[dv] added to remove all comments (which may help with > SQL injections > > as well. > > $sql = preg_replace("/#.*?[\r\n]/s", '', $sql); > > $sql = preg_replace("/--.*?[\r\n]/s", '', $sql); > > $sql = preg_replace("@/\*(.*?)\*/@s", '', $sql); > > I'm not aware of the context, but I guess you can imagine > that this will > corrupt any SQL queries that contain "#" or "--" or "/* ... > */" inside a > string. So I would highly recommend not using those. > > -- > Yves Goergen "LonelyPixel" <[EMAIL PROTECTED]> > Visit my web laboratory at http://beta.unclassified.de > -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
