On 03/11/06, Richard Lynch <[EMAIL PROTECTED]> wrote:
On Fri, November 3, 2006 5:30 am, Dotan Cohen wrote:
> To all others who took part in this thread: I was unclear on another
> point as well, the issue of sql-injection. As I'm removing the
> symbols, signs, and other non-alpha characters from the query, I
> expect it to be sql-injection proof. As I wrong? ie, could an attacker
> successful inject sql if he has nothing but alpha characters at his
> disposal? I think not, but I'd like to hear it from someone with more
> experience than i.
In Latin1, ISO-8891-1 or whatever, plain old not-quite-ASCII, yeah,
you should be safe, I think...
I'm making *no* promises if your DB is configured to accept some
*other* character set, or the Bad Guy manages to trick it into
thinking it should be using that charset.
Yep, configured to accept UTF-8. Us Hebrew-speakers and our funny letters :)
Why the big deal about just calling mysql_real_escape_string() on your
data?
No biggie- I'm doing that too.
Or using prepared statements and that ilk?
Then you'd be 100% sure, and not worrying about it, eh?
Well, abstinence is not an option! I can't use prepared statements on
a full-text search.
Thanks, Richard. When is that Uranus office opening???? I've been
waiting almost five years!!
Dotan Cohen
nirot.com
http://what-is-what.com/what_is/ubuntu.html
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php