sql-injection

To prevent SQL injection, is it necessary to use mysql_real_escape_string() , when magic_quotes_gpc is on? For some rare encodings, such as GBk - yes. But you should revert it not for this reason. Magic quotes should be turned off anyway (and will be in the next PHP version). So, mysql_real_escape_string() is the only escape function is left. Note that it is not sql injection prevention function. Many many people don't understand this point: it's just a part of syntax. It must be used not to "protect" anything, but to assemble syntactically correct SQL query. And must be used every time you

I have heard that sprintf() protects against SQL injection. Is it true? If so, how? Why people are recommending to write query like this: $sql = sprintf('SELECT * FROM TABLE WHERE COL1 = %s AND COL2 = %s',$col1,$col2); beardhatcode sprintf wont protect! it only replaces the %s you must mysql_real_escape_string so: $sql = sprintf('SELECT * FROM TABLE WHERE COL1 = "%s" AND COL2 = "%s"', mysql_real_escape_string($col1), mysql_real_escape_string($col2)); is safer injection note: I sugets you take a look at PDO , that is what I like to use for DBconections and queries That doesn't do any protection

Is there anything else that the code must do to sanitize identifiers (table, view, column) other than to wrap them in double quotation marks and "double up" double quotation marks present in the identifier name? References would be appreciated. I have inherited a code base that has a custom object-relational mapping (ORM) system. SQL cannot be written in the application but the ORM must still eventually generate the SQL to send to the SQL Server. All identifiers are quoted with double quotation marks. string QuoteName(string identifier) { return "\"" + identifier.Replace("\"", "\"\"") + "\"";

I was wondering is it possible to just my_sql_escape string the whole $_POST and $_GET array so you dont miss any variables? Not sure how to test it or I would've myself. Thanks! I would use the array_walk() function. It's better suited because modifies the POST superglobal so any future uses are sanitized. array_walk_recursive( $_POST, 'mysql_real_escape_string' ); However, make sure that you don't rely on this line to completely protect your database from attacks. The best protection is limiting character sets for certain fields. Ex. Email's don't have quotes in them (so only allow letters,

I'm trying to simply prove here that this simple function isn't good enough to prevent every sql injection in the world: Function CleanForSQL(ByVal input As String) As String Return input.Replace("'", "''") End Function Here is a typical insert statement from one of our apps: Database.DBUpdate("UPDATE tblFilledForms SET Text1 = '" + CleanForSQL(txtNote.Text) + "' WHERE FilledFormID = " + DGVNotes.SelectedRows(0).Cells("FilledFormID").Value.ToString) I know its not secure, because of googling and looking up other questions on StackOverflow.com. Here is one question that I found in which all