From: "Tariq Murtaza" <[EMAIL PROTECTED]> > Can someone shed some light on how "SQL injection" attack occurs when > *magic_quotes_gpc *is"ON" and how it prevents when its "OFF". To my > understanding apostrophise are escaped automatically in POST/GET/COOKIE > when its ON, so how it tends towards SQL Injection.
magic_quotes_gpc ON is supposed to do an addslashes automatically for all get, post and cookie data. > *What is the best practices handling 'quotation marks' in input string > and how to prevent SQL injection. The best way to prevent SQL injection is to check user input yourself. Never, ever trust any data from an external source. Check numerical data: make sure it's numerical and within the range you defined. Check string data: make sure it contains the characters you support and filter out any other characters, make sure it meets the other requirements you defined (size, etc.). If necessary modify the data or reject it completely. I never use user input to include a script just like that, but always verify it first to make sure it's in the list of scripts that can be included... If you want to supply "free text search" than you can easily filter out a list of punctuation characters that are not supported by the free text search you implemented. If you filter out enough it will render an SQL query that was posted to your script invalid, and effectively prevent an SQL injection attack. Happy coding! Jigal. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
