sql-injection

I am trying to put a general purpose function together that will sanitize input to a Mysql database. So far this is what I have: function sanitize($input){ if(get_magic_quotes_qpc($input)){ $input = trim($input); // get rid of white space left and right $input = htmlentities($input); // convert symbols to html entities return $input; } else { $input = htmlentities($input); // convert symbols to html entities $input = addslashes($input); // server doesn't add slashes, so we will add them to escape ',",\,NULL $input = mysql_real_escape_string($input); // escapes \x00, \n, \r, \, ', " and \x1a

So I know about MySQL injection and always escape all my user input before putting it in my database. However I was wondering, imagine a user tries to submit a query to inject, and I escape it. What if I then at a later moment take this value from the database, and use it in a query. Do I have to escape it again? So: ( sql::escape() contains my escape function) $userinput = "'); DROP `table` --"; mysql_query("INSERT INTO `table` (`foo`,`bar`) VALUES ('foobar','".sql::escape($userinput)."')"); // insert php/mysql to fetch `table`.`bar` into $output here mysql_query("INSERT INTO `table2` (`foo`,

Currently I'm using PostgreSQL for my application. Since I am trying to put every SQL that contains a transaction (i.e. insert, update, delete) in a function, I stumbled upon this problem: Is it possible that a database user may only be allowed to call functions and Select-Statements while he can not call SQL-Statements which contains a transaction? By "call functions" I mean any function. Regardless if it contains a transaction or not. I already tried to create a user which can only call functions and Select-Statements. But I always end up with an error, when calling functions which contains

During the last weekend some of my sites logged errors implying wrong usage of our URLs: ...news.php?lang=EN&id=23'A=0 or ...news.php?lang=EN&id=23'0=A instead of ...news.php?lang=EN&id=23 I found only one page originally which mentioned this ( https://forums.adobe.com/thread/1973913 ) where they speculated that the additional query string comes from GoogleBot or an encoding error. I recently changed my sites to use PDO instead of mysql_* . Maybe this change caused the errors? Any hints would be useful. Additionally, all of the requests come from the same user-agent shown below. Mozilla/5.0

We all know that we should use prepared statements or the appropriate replacement/formatting rules in order to prevent sql injection in our applications. However, when taking a look at MySQL's list of character literals, I noticed that it includes the following characters: \0 An ASCII NUL ( 0x00 ) character. \' A single quote ( ' ) character. \" A double quote ( " ) character. \b A backspace character. \n A newline (linefeed) character. \r A carriage return character. \t A tab character. \Z ASCII 26 ( Ctrl + Z ). See note following the table. \\ A backslash ( \ ) character. \% A % character. \

Building my first web-app and want to understand SQL injection better ( https://github.com/astaxie/build-web-application-with-golang/blob/master/en/eBook/09.4.md ). How much protection against SQL injection do I get from just always using the 'database/sql' library and constructing queries using '?' instead of concatting strings? What kind of SQL injection attacks will I still have to worry about in that case? As long as you're using Prepare or Query , you're safe. // this is safe db.Query("SELECT name FROM users WHERE age=?", req.FormValue("age")) // this allows sql injection. db.Query(