SQL Injection PHP

**Dormilich** · Jan 27 '12, 08:09 PM

you’re not correct. addslashes() and mysql_real_esca pe_string() can escape different characters, just what PHP resp. MySQL deem necessary. I may also note that mysql_real_esca pe_string() (unlike Prepared Statements) can’t prevent all SQL Injection attacks.

**harintfs** · Jan 27 '12, 08:19 PM

Originally posted by Dormilich

you’re not correct. addslashes() and mysql_real_esca pe_string() can escape different characters, just what PHP resp. MySQL deem necessary. I may also note that mysql_real_esca pe_string() (unlike Prepared Statements) can’t prevent all SQL Injection attacks.

if get_magic_quote s_gpc() is turn on, why should I care about sql injection, I thing it ll take care all

**harintfs** · Jan 27 '12, 08:39 PM

then whats purpose of mysql_real_esca pe_string()

**Dormilich** · Jan 27 '12, 08:42 PM

ever thought about SQL Injections that ain’t based upon the ' ?

Escapes special characters in the unescaped_strin g, taking into account the current character set of the connection so that it is safe to place it in a mysql_query(). If binary data is to be inserted, this function must be used.

mysql_real_esca pe_string() calls MySQL's library function mysql_real_esca pe_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.

This function must always (with few exceptions) be used to make data safe before sending a query to MySQL.

answer enough?

**harintfs** · Jan 27 '12, 08:51 PM

Pls one more ..
what are the dependency for get_magic_quote s_gpc();

**harintfs** · Jan 27 '12, 08:51 PM

Pls one more ..
what are the dependency for get_magic_quote s_gpc(); to turn on or off...

**Dormilich** · Jan 27 '12, 08:57 PM

PHP 4 or PHP 5, as far as I can see in the manual.

**harintfs** · Jan 27 '12, 08:58 PM

Thank you very much. Bye.

SQL Injection PHP

SQL Injection PHP

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment