global $Moderator;
" single quote, double quote, slash, back slash, semi colon, extended character like NULL, carry return, new line, etc " is what I've found. Doesn't seem to be a stock function comparable to mysql_real_escape_string(). Microsoft (those loveable hunks) suggest using stored procedures and validating all inputs using custom-built regexes. I'm sure you've got enough free time for that.
Elite Coders
haha yea, plenty of time for that. I've just gotten back to this thread now. So going further into this...
I've started used parametrized queries as an alternative to escaping all the possible inputs.
How secure is this method, if at all?
Side not for mssql users stumbling upon this, mssql doesn't take the \' as escaping the double single quotes ('') is how to mssql escapes a single quote so the query would be
Code:$query = "select * from users where lastname like 'o''brien';';
Corrections to my coding/thoughts welcome.
Global Moderator
By "parametrized queries" you mean that you have a list of possible queries or parts of queries and the user's input selects which one to use, but there are no custom fields? That should be entirely secure.
(If one of your terms happens to be ;DROP DATABASE, then you'd need to fix that.)
Note that in the syntax of your code above you are mixing double and single quotes. I believe the last single quote should be double instead.
MySQL does that same method of escaping single quotes. You just never see it because mysql_real_escape...() does it for you.
Daniel - Freelance Web Design | <?php?> | <html>| español | Deutsch | italiano | português | català | un peu de français | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum
bluewalrus (01-28-2011)
Posting Permissions
Reply With Quote
Bookmarks