Timeline for How can I prevent SQL injection in PHP?
Current License: CC BY-SA 4.0
17 events
when toggle format | what | by | license | comment | |
---|---|---|---|---|---|
Jan 27, 2021 at 16:05 | comment | added | brut65 | @Zaffy, thanks, it helps a Lot. I tested by myself, and your "formula" hex/unhex prevents the most common SQL injection attacks. It's possible broke this, a leak on the process or something? At least in a way that you know .. | |
Jun 12, 2020 at 3:53 | comment | added | Your Common Sense |
This overcomplicated approach is absolutely for naught. One could use simple quoting function "'".$mysqli->escape_string($_GET["id"])."'" instead of this hexing/unhexing paraphernalia. But it will be equally limited, leaving your application exposed to SQL injection for the cases where it's inapplicable.
|
|
S Jun 12, 2020 at 3:31 | history | suggested | BushBush Saur | CC BY-SA 4.0 |
improved formatting, changed blockquotes to code blocks
|
Jun 11, 2020 at 22:23 | review | Suggested edits | |||
S Jun 12, 2020 at 3:31 | |||||
Dec 25, 2017 at 14:40 | history | edited | Nae | CC BY-SA 3.0 |
Grammar improvement(s)
|
Oct 18, 2017 at 9:26 | history | edited | Palec | CC BY-SA 3.0 |
Fixed reversed word order.
|
Oct 18, 2017 at 7:49 | history | edited | Farzad Karimi | CC BY-SA 3.0 |
improved syntax
|
Jul 7, 2017 at 14:55 | history | made wiki | Post Made Community Wiki by animuson♦ | ||
Jul 16, 2014 at 2:19 | history | edited | Peter Mortensen | CC BY-SA 3.0 |
Copy edited. (its = possessive, it's = "it is" or "it has". See for example <http://www.wikihow.com/Use-its-and-it's>.)
|
Oct 12, 2013 at 9:27 | history | edited | user823738 | CC BY-SA 3.0 |
added 875 characters in body
|
Jun 1, 2013 at 23:49 | comment | added | user823738 |
@SumitGupta Yea, you did. MySQL doesnt concatenate with + but with CONCAT . And to the performance: I dont think it affects performance because mysql has to parse data and it doesnt matter if origin is string or hex
|
|
Jun 1, 2013 at 12:53 | comment | added | Sumit Gupta |
I just test SELECT * FROM tblproducts WHERE product_code LIKE ( '%42%') does find record but SELECT * FROM tblproducts WHERE product_code LIKE ('%' +0x3432 +'%') doesn't, so it simply doesn't work or I did something wrong ?
|
|
Jun 1, 2013 at 12:48 | comment | added | Sumit Gupta | @Zaffy, I like the idea, but what about performance, I mean if you have 1 million records and 1000 users searching does it slow down as compare to prepare solution ? | |
S Mar 8, 2013 at 16:57 | history | suggested | dadinck | CC BY-SA 3.0 |
except - > expect, spelling error.
|
Mar 8, 2013 at 16:54 | review | Suggested edits | |||
S Mar 8, 2013 at 16:57 | |||||
Feb 27, 2013 at 20:09 | history | edited | user823738 | CC BY-SA 3.0 |
deleted 63 characters in body
|
Oct 3, 2012 at 14:07 | history | answered | user823738 | CC BY-SA 3.0 |