Hi Jigal, others, > > Can someone shed some light on how "SQL injection" attack occurs when > > *magic_quotes_gpc *is"ON" and how it prevents when its "OFF". To my > > understanding apostrophise are escaped automatically in POST/GET/COOKIE > > when its ON, so how it tends towards SQL Injection. > > magic_quotes_gpc ON is supposed to do an addslashes automatically for all > get, post and cookie data. > > > *What is the best practices handling 'quotation marks' in input string > > and how to prevent SQL injection. > > The best way to prevent SQL injection is to check user input yourself. > Never, ever trust any data from an external source.
What about using parameters? How are they handled in MySQL? With regards, Martijn Tonies Database Workbench - developer tool for InterBase, Firebird, MySQL & MS SQL Server. Upscene Productions http://www.upscene.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]