sql-injection

Is there a Regular Expression that can detect SQL in a string? Does anyone have a sample of something that they have used before to share? Don't do it. You're practically guaranteed to fail. Use PreparedStatement (or its equivalent) instead. use stored procs or prepared statements, how will you detect something like this? BTW do NOT run that DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C415 245204054205641524348415228323535292C40432056415243 4841522832353529204445434C415245205461626C655 F437572736F7220435552534F5220464F522053454C45435420612E6

I'm developing a website and I'm trying to secure the connection part. I used the addslashes function on $login to stop SQL injection but some friends told me that's not enough security. However, they didn't show me how to exploit this vulnerability. How can I / could you break this code? How can I secure it? <?php if ( isset($_POST) && (!empty($_POST['login'])) && (!empty($_POST['password'])) ) { extract($_POST); $sql = "SELECT pseudo, sex, city, pwd FROM auth WHERE pseudo = '".addslashes($login)."'"; $req = mysql_query($sql) or die('Erreur SQL'); if (mysql_num_rows($req) > 0) { $data = mysql

In PHP Manual, there is a note: Note: If this function is not used to escape data, the query is vulnerable to SQL Injection Attacks. Is this enough to anti sql injection? If not, could you give an example and a good solution to anti sql injection? mysql_real_escape_string is usually enough to avoid SQL injection. This does depend on it being bug free though, i.e. there's some small unknown chance it is vulnerable (but this hasn't manifested in the real world yet). A better alternative which completely rules out SQL injections on a conceptual level is prepared statements . Both methods entirely

User equals untrustworthy. Never trust untrustworthy user's input. I get that. However, I am wondering when the best time to sanitize input is. For example, do you blindly store user input and then sanitize it whenever it is accessed/used, or do you sanitize the input immediately and then store this "cleaned" version? Maybe there are also some other approaches I haven't though of in addition to these. I am leaning more towards the first method, because any data that came from user input must still be approached cautiously, where the "cleaned" data might still unknowingly or accidentally be

If yes, why are there still so many successful SQL injections? Just because some developers are too dumb to use parameterized statements? The links that I have posted in my comments to the question explain the problem very well. I've summarised my feelings on why the problem persists, below: Those just starting out may have no awareness of SQL injection. Some are aware of SQL injection, but think that escaping is the (only?) solution. If you do a quick Google search for php mysql query , the first page that appears is the mysql_query page, on which there is an example that shows interpolating