[nycphp-talk] Not-so-subtle attack on PHP

Cliff Hirsch cliff at
Wed Sep 26 14:34:06 EDT 2007

On 9/26/07 1:53 PM, "Jake McGraw" <jmcgraw1 at> wrote:
> Oh snap!
> Personally, I like the flexibility PHP gives you in determining what
> you can put in your queries and with PHP 5+, using the filter
> functions and querying a MySQL DB with mysqli is a full proof method
> of preventing SQL injection.

Filter functions? Not the new input filter functions? To trully prevent SQL
injection, you need to use eiher prepared statements or mysqlrealescape
function. And don't forget to put ' ' around the result, otherwise, it's

More information about the talk mailing list