Hi.
On Mon, Jul 23, 2001 at 05:24:45PM +0200, [EMAIL PROTECTED] wrote:
> Hi
>
> When thinking about security it is best to use ' around number input
> from a webuser in the WHERE part of my query. But does is this query
> run slower than a query without ' around numbers? How does this
> work?
Just putting single quotes around the input is not enough. I could
type in a single quote to get around your single quotes this way. Of
course, you want to use the proper escape function (like
mysql_real_escape_string) to be on the safe side.
The query won't run slower, because MySQL converts the string to a
number, if the column you compare against is a number. (The other way
around, comparing an VARCHAR column with an integer constant _will_
slow down the query.)
> I want to protect my system from user input such as comment, AND
> operator, and OR operator. Is the best way to include ' in queries,
> or should I precheck the number to verify that they really are
> number?
IMHO, the Right Thing is to pre-check that the number only consists of
digits. That way, you can also return a more precise error message
than just complaining about a not found entry with invalid numbers.
Bye,
Benjamin.
---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
