[CentOS] C5 MySQL injection attack ("Union Select")
Always Learning
centos at u64.u22.netThu Mar 24 17:13:08 UTC 2016
- Previous message: [CentOS] C5 MySQL injection attack ("Union Select")
- Next message: [CentOS] C5 MySQL injection attack ("Union Select")
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Thu, 2016-03-24 at 09:18 -0700, Gordon Messmer wrote: > On 03/24/2016 07:57 AM, Always Learning wrote: > > I should have imposed strict controls on the length of > > parameters passed to programmes via web pages $_GET[] such as... > > and reject any incoming string containing ' or " in addition to PHP's > > strip_tags and (deprecated in later versions) > > mysql_real_escape_string($_GET['....'],$link); > > No. No. Nooooooooo. > > You're missing the point that everyone is trying to communicate to you. > Do not use string concatenation. Do not use sprintf. Do not use > mysql_real_escape_string(). I have never (not once) used non-prepared SQL statements, nor string concatenation, nor sprintf. mysql_real_escape_string() is useful for storing in tables words with apostrophes. -- Regards, Paul. England, EU. England's place is in the European Union.
- Previous message: [CentOS] C5 MySQL injection attack ("Union Select")
- Next message: [CentOS] C5 MySQL injection attack ("Union Select")
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the CentOS mailing list