Comments on: Preventing SQL Injection with MySQL and PHP

By: Web Developers, Beware, Your website might be hacked « kenyandeveloper

Web Developers, Beware, Your website might be hacked « kenyandeveloper — Thu, 12 Jan 2012 18:10:49 +0000

[...] How To prevent MySQL injection http://www.tech-evangelist.com/2007/11/05/preventing-sql-injection-attack/ [...]

By: Prevenindo SQL Injection com PHP | Flávio Studart

Prevenindo SQL Injection com PHP | Flávio Studart — Wed, 21 Dec 2011 18:12:51 +0000

[...] http://www.tech-evangelist.com/2007/11/05/preventing-sql-injection-attack/ [...]

By: Doogie

Doogie — Wed, 14 Dec 2011 22:47:41 +0000

Hi Tibob

You missed the details in the explanation. “If you are wondering what the trailing ‘i’ is following each word in the array, it is required to make the preg_replace replacements case insensitive.” So if you do it that way, the bad words are not case sensitive.

By: Tibob

Tibob — Wed, 14 Dec 2011 22:19:45 +0000

Are the “bad words” case-sensitive? What if someone tries to inject, for example, UPDATE or Update instead of update? Do I have to add an uppercase version of each of the bad words to the list?
Thanks for the article, by the way?

By: Jim

Jim — Mon, 12 Sep 2011 17:35:31 +0000

Hey guys (and gals) what about PHP using MS SQL. Is there a “mysql_real_escape_string” type string for use with MS SQL server backend? I’m getting hacked all the time!

By: Password validation | SeekPHP.com

Password validation | SeekPHP.com — Wed, 07 Sep 2011 11:24:43 +0000

[...] – you should really read about SQL Injection. And I don’t mean the XKCD comics. In the following link you can find few examples and guidelines about how the make clear and safe query for both your [...]

By: matt

matt — Wed, 03 Aug 2011 13:58:52 +0000

@Tim – storing userdate with htmlentities parsed is STUPID. You should parse for html-entities on data output, and just store the raw data.

The issue with html entities is to prevent XSS attacks, and is a presentation layer issue.

By: Doogie

Doogie — Tue, 26 Jul 2011 15:19:16 +0000

Hi Steve

You can always add it if you want. We focused on the list of words that can lead to database damage.

By: Steve

Steve — Tue, 26 Jul 2011 08:05:20 +0000

Wouldn’t it also be good to have “select” in your list of bad words? Kill the string stone dead.

By: Aadil

Aadil — Wed, 20 Jul 2011 07:14:04 +0000

Hi there…

Thanx for this.

Please advise how I could go about testing if this is actually working.

Thanx again.