I have little knowledge about sql injection.. all i know is that the hacker can type the query in the input boxes...so my plan is to trap the input that has INSERT, DELETE, SELECT (and other potential queries) on it..and other input that has semicolon and more than one apostrophe...
is my plan ok? or it seems ridiculous?
SQL injection
Moderator: General Moderators
Re: SQL injection
Ridiculous. (If you have little knowledge about something - ask someone who does, instead of trying to solve a problem that you don't understand)
Use escaping and quoting.
pg_escape_string() for Postgre, mysql_real_escape_string() for MySQL
Other things that could go wrong: http://www.webappsec.org/projects/articles/091007.shtml
Use escaping and quoting.
pg_escape_string() for Postgre, mysql_real_escape_string() for MySQL
Other things that could go wrong: http://www.webappsec.org/projects/articles/091007.shtml