Security Basics mailing list archives
RE: magic_quotes
From: "Steve Hillier" <securityfocus () mastermindtoys com>
Date: Tue, 21 Jun 2005 13:49:55 -0400
I usually use the MySQL Improved functions (mysqli*) so I was just lazy and didn't look up all the corresponding regular mysql functions. It is better to use mysql_real_escape_string (or mysqli_real_escape_string in my case). I'm not sure if this is the thread where we should debate this, but I think there are enough positives and negatives with stored procedures that using such a tool would require serious though. Just my $0.02. sph
-----Original Message----- From: Christoph 'knurd' Jeschke [mailto:christoph.jeschke () gmail com] Sent: Monday, June 20, 2005 8:06 p To: security-basics () securityfocus com Subject: Re: magic_quotes Steve Hillier schrieb:You should be using mysql_escape_string() to sanitise your input strings if you're going to be using them as-is inside SQLstatements. Better use Stored Procedures (MySQL5) and mysql_real_escape_string instead of mysql_escape_string.
Current thread:
- magic_quotes Pablo Fernández (Jun 20)
- RE: magic_quotes Steve Hillier (Jun 20)
- Re: magic_quotes Christoph 'knurd' Jeschke (Jun 21)
- RE: magic_quotes Steve Hillier (Jun 22)
- Re: magic_quotes Pablo Fernández (Jun 22)
- Re: magic_quotes Christoph 'knurd' Jeschke (Jun 22)
- Re: magic_quotes Christoph 'knurd' Jeschke (Jun 21)
- RE: magic_quotes Steve Hillier (Jun 20)
- Re: magic_quotes Ben Sytko (Jun 20)
- <Possible follow-ups>
- Re: RE: magic_quotes miguel . vieira (Jun 22)
- Re: magic_quotes maarten (Jun 24)
- Re: magic_quotes Christoph 'knurd' Jeschke (Jun 27)
- Re: magic_quotes mickael kael (Jun 27)
- Re: magic_quotes Christoph 'knurd' Jeschke (Jun 28)
- Re: magic_quotes Tony Stahler (Jun 28)