All Questions
11 questions
1
vote
0
answers
21
views
Escape again after value manipulation in PHP [duplicate]
Let's say i have this code:
$value = mysqli_real_escape_string($con, $_POST['value']);
$value = strip_tags($value, '<br>');
for example with this value: $_POST['value'] = "<div>how<br/&...
- 4,205
2
votes
1
answer
1k
views
Can I use mysql_real_escape_string function by passing the whole MySQL query as parameter?
I am working on securing a huge existing application against SQL injection. It is very old and it is close to impossible to refactor, due to the use of the famous "copy/paste" pattern development ...
- 51
0
votes
1
answer
2k
views
Correct usage of Mysql real escape strings
I am new to SQL injection and would like to know if I am using the mysql_real_escape_string properly? Should I make strings for the database and password to make this secure? Any advice would be great ...
- 5
5
votes
0
answers
258
views
How to SQL inject when mysql_real_escape_string is used [duplicate]
This was marked as a duplicate, but I don't think that is a fair judgement. Again the question is being passed off with an easy answer... but it isn't the correct answer. If the "duplicate" answer is ...
- 4,545
0
votes
1
answer
3k
views
How to check if PHP string is valid as a query parameter or not
I have a PHP application where I'm using PHP mysql native library to run and manage queries with the database.
In my application, I'm using an abstract layer to validate user input [and any other ...
- 45
1
vote
1
answer
247
views
using mysql_real_escape_string in blind code
I have a client which has very large amount of code on its production server, now we are securing this server.
They have SQL vulnerability is there code, so we are adding
these commands in the ...
- 481
-2
votes
5
answers
7k
views
mysql_real_escape_string Not Working with '
I have a form processed with PHP. It contains a field for Notes about the client job.
The problem is that if there is a ' within in the notes - such as it's, O'Reilly, that's etc, it escapes the ...
- 37
12
votes
2
answers
3k
views
Shortcomings of mysql_real_escape_string?
I have seen a few people on here state that concatenating queries using mysql_real_escape_string will not protect you (entirely) from SQL injection attacks.
However, I am yet to see an example of ...
- 4,830
4
votes
3
answers
812
views
Which SQL inject methods aren't "destroyed" by mysql_real_escape_string();?
Is there a list of SQL injection methods which can't be protected with just using mysql_real_escape_string(); with utf8 encoding?
For integer, I'm using intval();
Is it secure enough?
For those who ...
- 51k
0
votes
5
answers
199
views
php securing get against others
I have a php file which at the start, assigns some variables from what was sent using $_GET.
It then does some mysql queries, processes the output, then echos out some text and variables.
The only ...
- 11.4k
17
votes
3
answers
7k
views
Do I have to use mysql_real_escape_string if I bind parameters?
I have the following code:
function dbPublish($status)
{
global $dbcon, $dbtable;
if(isset($_GET['itemId']))
{
$sqlQuery = 'UPDATE ' . $dbtable . ' SET active = ? WHERE id = ?';
$stmt = $...
- 279