Thread: SQL Injection.. is it really that simple?
View Single Post
  #2 (permalink)  
Old 01-18-09, 07:21 PM
End User's Avatar
End User End User is offline
Level II Curmudgeon
  
Join Date: Dec 2004
Posts: 3,027
Thanks: 14
Thanked 35 Times in 33 Posts
Quote:
Originally Posted by Psybadek View Post
I dont know why, but now that I'm taking the time to secure my script I really want to know, is all I need to do to prevent it is to just wrap whats being inputted in mysql_real_escape_string?
Trust me, mysql_real_escape_string() is easily bypassed. It will NOT keep you safe and that's a fact. Check here for lots of examples that will easily bypass mysql_real_escape_string():

http://ha.ckers.org/xss.html

If you can protect against all of those examples, you're *probably* safe (but I wouldn't count on it).

If you can't protect against all of those, you aren't safe.

mysql_real_escape_string() is like an airbag that always works right up until it's needed.
__________________
I don't live on the edge, but sometimes I go there to visit.
-------------------------------------------------------------------------
Sanitize Your Data | Oracle Date & Substring Functions | Code Snippet Library | [url=http://www.codmb.com/Call Of Duty[/url]