 |
 |
Find a programming school near you
php-general | 2005051
Date: 05/12/05
- Next message: Miguel Vaz: "[PHP] protected too much!"
- Previous message: K.S. TANG: "[PHP] Help!!! Cannot do Authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-------------- Original message ----------------------
From: "Richard Lynch" <ceo <email protected>>
> On Thu, May 12, 2005 4:43 pm, Chris Shiflett said:
> > From me:
> > The fact that it uses the character set of your current connection to
> > MySQL means that what your escaping function considers to be a single
> > quote is exactly what your database considers to be a single quote. If
> > these things don't match, your escaping function can miss something that
> > your database interprets, opening you up to an SQL injection attack.
>
> Under the following pre-conditions:
> 1. C Locale / English in MySQL data
> 2. No intention to ever switch natural language, nor database.
>
> is there any real benefit to spending man hours I really can't afford for
> legacy code to switch from Magic Quotes to mysql_real_escape_string -- and
> make no mistake, it would be a TON of man hours.
I believe it also takes into account special characters like _ and %, which addslashes does not. In certain instances if you do not escape special characters, such as the wildcards I mentioned, the results that you get can differ from what you intended. One instance this comes into play is a search form used by a non-technical user. You should probably check that though, it has been a while since I have looked into it.
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
- Next message: Miguel Vaz: "[PHP] protected too much!"
- Previous message: K.S. TANG: "[PHP] Help!!! Cannot do Authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
