Hi guys,
I have developed a function which escaped ta user input after it is parsed in a variable which contain the whole query. After I have browsed through some of the topics here I found out I was wrong.
Am I right that this lacks security at all?
Escape user input
Moderator: General Moderators
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
Reply
Yes, I do escape the whole query. So I have to rewrite it to escape only the input.
Something like this:
Thank you.
Something like this:
Code: Select all
function esc($sql) {
//Here is the escape
return $sql;
}
mysql_query(esc($sql));- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
more along the lines of
Like I said, do not escape the whole query
Code: Select all
$username = isset($_POST['username']) ? mysql_real_escape_string($_POST['username']) : '';
$password = isset($_POST['password']) ? mysql_real_escape_string($_POST['password']) : '';
// SELECT * FROM `bleh` WHERE `user` = '$username' and `pass` = '$password'- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
Re: Reply
My pleasureuser___ wrote:Thank you man.