What do I need to escape when sending a query? *

Question

When you execute a SQL query, you have to clean your strings or users can execute malicious SQL on your website.

I usually just have a function escape_string(blah), which:

Replaces escapes (\) with double escapes (\\).
Replaces single quotes (') with an escaped single quote (\').

Is this adequate? Is there a hole in my code? Is there a library which can do this quickly and reliably for me?

I'd like to see graceful solutions in Perl, Java, and PHP.

Answer

For maximum security, performance, and correctness use prepared statements. Here's how to do this with lots of examples in different languages, including PHP:

http://stackoverflow.com/questions/1973/what-is-the-best-way-to-avoid-sql-injection-attacks

< br > via < a class="StackLink" href=" http://stackoverflow.com/questions/2688/" >What do I need to escape when sending a query?< /a>

About Cinema Guy

This is a short description in the author block about the author. You edit it by entering text in the "Biographical Info" field in the user admin panel.

Stack Over Flow

Sponsor

Labels

Blog Archive

What do I need to escape when sending a query? *

Question

Answer

About Cinema Guy

0 comments:

Post a Comment

Video Of Day

Sponsor

Labels

Blog Archive

What do I need to escape when sending a query? *

Question

Answer

About Cinema Guy

RELATED POSTS

0 comments:

Post a Comment