Security Basics mailing list archives
Re: PHP filter function against SQL injections
From: "Koen Bossaert" <koen.bossaert () gmail com>
Date: Thu, 8 Feb 2007 10:55:53 +0100
You probably also don't want * and %. You can also make use of prepared statements or stored procedures against SQL Injection. Regards, Koen On 2/7/07, Kellox <kellox () mymail ch> wrote:
hi everyone! i was just wondering if this filter function written in php is safe against sql injections: function filter($string) { $replace = ""; $search = array(">", "<", "|", ";"); $result = mysql_escape_string( str_replace($search, $replace, $string)); return $result; } or could anyone imagine an sql injection attack which bypasses this filter function? ___________________________________________________________________________ mymail - der unschlagbare und kostenlose E-Mail-Dienst der Schweiz! http://mymail.ch/?redirect=9999 Kaspersky Anti Virus 6.0 - So schützen Sie Ihren PC zuverlässig! http://ad.zanox.com/ppc/?4997698C625979254T
Current thread:
- PHP filter function against SQL injections Kellox (Feb 07)
- Re: PHP filter function against SQL injections jeffrey rivero (Feb 07)
- Re: PHP filter function against SQL injections jeff (Feb 07)
- Re: PHP filter function against SQL injections Koen Bossaert (Feb 08)
- Re: PHP filter function against SQL injections Kellox (Feb 08)
- Re: PHP filter function against SQL injections jeffrey rivero (Feb 08)
- Re: PHP filter function against SQL injections Terra Frost (Feb 09)
- Message not available
- Re: PHP filter function against SQL injections Terra Frost (Feb 12)
- Re: PHP filter function against SQL injections Kellox (Feb 08)
- Re: PHP filter function against SQL injections Kellox (Feb 09)
- Re: PHP filter function against SQL injections jeffrey rivero (Feb 09)
- Re: PHP filter function against SQL injections Nic Stevens (Feb 12)
- <Possible follow-ups>
- FW: PHP filter function against SQL injections kevin fielder (Feb 08)
- Re: PHP filter function against SQL injections Henry Troup (Feb 12)
- Re: PHP filter function against SQL injections Henry Troup (Feb 13)