SQL injection

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
php_postgresql
Forum Newbie
Posts: 13
Joined: Sat Apr 19, 2008 9:37 am

SQL injection

Post by php_postgresql »

I have little knowledge about sql injection.. all i know is that the hacker can type the query in the input boxes...so my plan is to trap the input that has INSERT, DELETE, SELECT (and other potential queries) on it..and other input that has semicolon and more than one apostrophe...

is my plan ok? or it seems ridiculous?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: SQL injection

Post by Mordred »

Ridiculous. (If you have little knowledge about something - ask someone who does, instead of trying to solve a problem that you don't understand)
Use escaping and quoting.
pg_escape_string() for Postgre, mysql_real_escape_string() for MySQL

Other things that could go wrong: http://www.webappsec.org/projects/articles/091007.shtml
Post Reply