On Mon, Feb 22, 2010 at 5:02 PM, Slack-Moehrle
<mailingli...@mailnewsrss.com> wrote:
> John,
>
>>>Then if you use a MySQL database you would escape the string like this
>>>$tmp = mysql_real_escape_string($_REQUEST['yyy']);
>
>
>>>mysql_real_escape_string() protect from SQL injection by escaping your
>>>string according to what your charset requires.
>
> Good point, I should be doing that. But only to String, not data stored in 
> MySQL as Int or Date, etc.
>
> -ML

Just to clarify, while you would not use mysql_real_escape_string()
for datatypes other than strings, you still need to do filtering,
validation, and sanity checking on other datatypes as well. As I
pointed out in another thread recently, these are just as vulnerable
to SQL injection even though the variable values are expected to be
integers or dates:

$sql = "SELECT `my_id`, `my_message` FROM `my_comments` WHERE `my_id` = $my_id";

$sql = "SELECT `post_id`, `post_text`, `post_date` FROM `blog_posts`
WHERE `post_date` BETWEEN '$first_post_date' AND '$last_post_date'";


IMO mysql_real_escape_string() (or any similar function used for
different db vendors) is just a method to escape sequences that have
special meaning in a SQL query. It is the LAST step you should perform
when processing input to be saved in a MySQL database (when
parameterized queries are not available), after you have done
everything you can to ensure that ALL the values being passed in the
query are valid.

Andrew

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to