Comments on: Writing Secure SQL Queries http://pr0gr4mm3r.com/mysql/writing-secure-sql-queries/ Free tools and information maintained by an online entrepreneur. Thu, 26 Aug 2010 20:35:24 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: Andrew Wells http://pr0gr4mm3r.com/mysql/writing-secure-sql-queries/comment-page-1/#comment-5682 Andrew Wells Mon, 03 Mar 2008 05:21:36 +0000 http://wp.pr0gr4mm3r.com/mysql/writing-secure-sql-queries/#comment-5682 Yeah, Wordpress likes to mess with my quotes. I have been looking into how to disable that fancy formatting. That's a good idea with putting in that magic quotes test. I was escaping strings on this one server, and everything was being outputted with extra backslashes. Turned out it was because "magic_quotes_gpc" was enabled. I always disable that function whenever possible because I secure it myself. Yeah, WordPress likes to mess with my quotes. I have been looking into how to disable that fancy formatting.

That’s a good idea with putting in that magic quotes test. I was escaping strings on this one server, and everything was being outputted with extra backslashes. Turned out it was because “magic_quotes_gpc” was enabled. I always disable that function whenever possible because I secure it myself.

]]> By: Matt http://pr0gr4mm3r.com/mysql/writing-secure-sql-queries/comment-page-1/#comment-5681 Matt Mon, 03 Mar 2008 05:00:15 +0000 http://wp.pr0gr4mm3r.com/mysql/writing-secure-sql-queries/#comment-5681 I knew about SQL injection, but I actually never tried it. I copied your sample into a login form on my site (after removing the escape logic), and it does work. Neat-O! (I had to replace all those funky quotes in your sample code though). I escape the user input in my PHP code with this function: [code] function escapeData($data) { if(ini_get('magic_quotes_gpc')) $data = stripslashes($data); return mysql_real_escape_string($data); } [/code] It's more portable than just using mysql_real_escape_string() everywhere. I knew about SQL injection, but I actually never tried it. I copied your sample into a login form on my site (after removing the escape logic), and it does work. Neat-O! (I had to replace all those funky quotes in your sample code though).

I escape the user input in my PHP code with this function:
[code]
function escapeData($data)
{
if(ini_get('magic_quotes_gpc'))
$data = stripslashes($data);
return mysql_real_escape_string($data);
}
[/code]
It’s more portable than just using mysql_real_escape_string() everywhere.

]]>