Page 1 of 1

SQL injection

Posted: Mon May 12, 2008 5:29 am
by php_postgresql
I have little knowledge about sql injection.. all i know is that the hacker can type the query in the input boxes...so my plan is to trap the input that has INSERT, DELETE, SELECT (and other potential queries) on it..and other input that has semicolon and more than one apostrophe...

is my plan ok? or it seems ridiculous?

Re: SQL injection

Posted: Mon May 12, 2008 7:03 am
by Mordred
Ridiculous. (If you have little knowledge about something - ask someone who does, instead of trying to solve a problem that you don't understand)
Use escaping and quoting.
pg_escape_string() for Postgre, mysql_real_escape_string() for MySQL

Other things that could go wrong: http://www.webappsec.org/projects/articles/091007.shtml