preventing SQL injections

Forum Moderators: coopster

Message Too Old, No Replies

preventing SQL injections

does PHP's magic_quotes_gpc do the trick?

RonPK

5:49 pm on May 15, 2003 (gmt 0)

I've read about PHP's magic_quotes_gpc = 1 as a means of preventing SQL injection. However many of those sites also claim that relying on magic_quotes_gpc is not very smart, in fact that magic_quotes_gpc is basically evil.

Can someone shed some light on this? Can I rely on it, and why would it be evil?

DrDoc

6:35 pm on May 15, 2003 (gmt 0)

evil = allows for sloppy programming. It's never good to rely on a built-in function that isn't set by default in later PHP versions.

Use addslashes() instead. That's what PHP themselves recommend.

brotherhood of LAN

6:39 pm on May 15, 2003 (gmt 0)

mysql_escape_string will do the same job, from the horses mouth in the manual:

This function will escape the unescaped_string, so that it is safe to place it in a mysql_query().

gilmour

6:48 pm on May 15, 2003 (gmt 0)

Additionally, crop the form data to your max length with PHP before calling your SQL statement rather than relying on the forms 'maxlength=x' property. Doesn't have anything to do with escaping single or double quotes,...but it's good practice to help prevent SQL injections.

daisho

1:31 pm on May 16, 2003 (gmt 0)

If you are using mySQL use "mysql_escape_string()" for _every_ piece of data that's coming from a user. This is better then addslashes for this case since mysql_escape_string will always properly escape for mysql even if that escaping changes.

If you are using oracle then use Binds (OCIBindByName, OCIBindByNum).

daisho.

RonPK

1:50 pm on May 16, 2003 (gmt 0)

Thx, everyone. It's much more clear to me now.