preventing sql injection attacks

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
krraleigh
Forum Commoner
Posts: 86
Joined: Tue Jul 17, 2007 2:52 pm

preventing sql injection attacks

Post by krraleigh »

I have a function that adds ' ticks to the ends of my strings in the database. I was told to do this to prevent sql injection attacks.

I am using UPDATE to set the fields in my database and after hours of testing I find that UPDATE won't
allow me to insert ' ticks at the beginning and end of my values.

I can use ' ticks when I insert without problem just not when I UPDATE.

Has anyone ever heard of anything like this?
Can you show me where I went wrong?

I echoed the value just before it is placed in the UPDATE string and it clearly shows the ' ticks. I ran another test by placing the letter "z" in front of the tick to prove that my function was working properly and it worked great.

Very confused and could use some help.
Kevin :?:
User avatar
novice4eva
Forum Contributor
Posts: 327
Joined: Thu Mar 29, 2007 3:48 am
Location: Nepal

Re: preventing sql injection attacks

Post by novice4eva »

why not just use bind variables!!
Rovas
Forum Contributor
Posts: 272
Joined: Mon Aug 21, 2006 7:09 am
Location: Romania

Re: preventing sql injection attacks

Post by Rovas »

Have you tried escaping them (\')?
User avatar
aceconcepts
DevNet Resident
Posts: 1424
Joined: Mon Feb 06, 2006 11:26 am
Location: London

Re: preventing sql injection attacks

Post by aceconcepts »

Post Reply