« previous next »
Pages: [1]   Go Down

Author Topic: SQL security  (Read 641 times)

Offline Chris

  • Game Owner
  • Level 35
  • *
  • Posts: 2,217
  • Reputation: +28/-1
    • View Profile
SQL security
« on: September 12, 2008, 04:09:23 AM »
SQL injection:
http://dev.mysql.com/doc/mysqld-version-reference/en/ch05s01s04.html
If I understood correctly, this security hole can be used only if we set some strange charset for the table, right?
Logged

Offline JGadrow

  • Level 35
  • **
  • Posts: 1,133
  • Reputation: +23/-2
    • View Profile
Re: SQL security
« Reply #1 on: September 12, 2008, 06:35:56 AM »
If you use any charset other than latin1 (which includes utf-8) AND you're using the C API version of mysql_real_escape_string ().
However, the best practice is still to use prepared statements and bound parameters as you're telling the server the exact query you intend to run before passing any potentially harmful data. If you're doing that, then this security vulnerability doesn't apply.
Logged
Idiocy - Never underestimate the power of stupid people in large groups.

Pages: [1]   Go Up
« previous next »
 
SimplePortal 2.3.3 © 2008-2010, SimplePortal