Home page logo
/

basics logo Security Basics mailing list archives

RE: magic_quotes
From: "Steve Hillier" <securityfocus () mastermindtoys com>
Date: Tue, 21 Jun 2005 13:49:55 -0400

I usually use the MySQL Improved functions (mysqli*) so I was just lazy
and didn't look up all the corresponding regular mysql functions. It is
better to use mysql_real_escape_string (or mysqli_real_escape_string in
my case).

I'm not sure if this is the thread where we should debate this, but I
think there are enough positives and negatives with stored procedures
that using such a tool would require serious though.

Just my $0.02.

sph


-----Original Message-----
From: Christoph 'knurd' Jeschke [mailto:christoph.jeschke () gmail com] 
Sent: Monday, June 20, 2005 8:06 p
To: security-basics () securityfocus com
Subject: Re: magic_quotes


Steve Hillier schrieb:

You should be using mysql_escape_string() to sanitise your input 
strings if you're going to be using them as-is inside SQL 
statements.

Better use Stored Procedures (MySQL5) and 
mysql_real_escape_string instead of mysql_escape_string.




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]