[CentOS] C5 MySQL injection attack ("Union Select")

Thu Mar 24 16:18:46 UTC 2016
Gordon Messmer <gordon.messmer at gmail.com>

On 03/24/2016 07:57 AM, Always Learning wrote:
> I should have imposed strict controls on the length of
> parameters passed to programmes via web pages $_GET[] such as...
> and reject any incoming string containing ' or " in addition to PHP's
> strip_tags and (deprecated in later versions)
> mysql_real_escape_string($_GET['....'],$link);

No.  No.  Nooooooooo.

You're missing the point that everyone is trying to communicate to you.  
Do not use string concatenation.  Do not use sprintf.  Do not use 
mysql_real_escape_string().

Use prepared statements.
http://php.net/manual/en/mysqli.quickstart.prepared-statements.php