On 24/01/2008, Richard Lynch <[EMAIL PROTECTED]> wrote: > On Wed, January 23, 2008 4:04 pm, Dotan Cohen wrote: > > Is the "--" here not treated as the beginning of an SQL comment? > > No, because it is inside the apostrophes. > > The purpose of mysql_real_escape_string (or using prepared statements) > is to mark up (or separate) the DATA from the QUERY. > > The data about to be put into the database being escaped by > mysql_real_escape_string is sufficient to be sure nobody is playing > games with apostrophe followed by -- which could, in theory, insert an > SQL comment or allow them to execute arbitrary SQL code.
In that case, the function: function clean_mysql ($dirty) { $dirty=str_replace ("--", "", $dirty); $dirty=str_replace (";", "", $dirty); $clean=mysql_real_escape_string($dirty); return $clean; } Can be reduced to: function clean_mysql ($dirty) { $clean=mysql_real_escape_string($dirty); return $clean; } Which basically is the same as a simple mysql_real_escape_string? In other words, mysql_real_escape_string itself is safe from SQL injection? Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?