[CentOS] C5 MySQL injection attack ("Union Select")
Always Learning
centos at u64.u22.net
Thu Mar 24 17:13:08 UTC 2016
On Thu, 2016-03-24 at 09:18 -0700, Gordon Messmer wrote:
> On 03/24/2016 07:57 AM, Always Learning wrote:
> > I should have imposed strict controls on the length of
> > parameters passed to programmes via web pages $_GET[] such as...
> > and reject any incoming string containing ' or " in addition to PHP's
> > strip_tags and (deprecated in later versions)
> > mysql_real_escape_string($_GET['....'],$link);
>
> No. No. Nooooooooo.
>
> You're missing the point that everyone is trying to communicate to you.
> Do not use string concatenation. Do not use sprintf. Do not use
> mysql_real_escape_string().
I have never (not once) used non-prepared SQL statements, nor string
concatenation, nor sprintf.
mysql_real_escape_string() is useful for storing in tables words with
apostrophes.
--
Regards,
Paul.
England, EU. England's place is in the European Union.
More information about the CentOS
mailing list