NYCPHP Meetup

[nycphp-talk] Not-so-subtle attack on PHP

Cliff Hirsch cliff at pinestream.com
Wed Sep 26 14:34:06 EDT 2007


On 9/26/07 1:53 PM, "Jake McGraw" <jmcgraw1 at gmail.com> wrote:
> Oh snap!
> 
> Personally, I like the flexibility PHP gives you in determining what
> you can put in your queries and with PHP 5+, using the filter
> functions and querying a MySQL DB with mysqli is a full proof method
> of preventing SQL injection.

Filter functions? Not the new input filter functions? To trully prevent SQL
injection, you need to use eiher prepared statements or mysqlrealescape
function. And don't forget to put ' ' around the result, otherwise, it's
useless.





More information about the talk mailing list