MySQL Forums
Forum List  »  Stored Procedures

Re: Newb needs help SQL Injection prevention
Posted by: Rick James
Date: June 27, 2012 10:57PM

This quotes the necessary things, thereby preventing syntax errors (if the user includes an apostrophe) and SQL injections (if someone is trying to take advantage of that):
$ENG = mysql_escape_string($ENG);

The Stored procedure won't help at all -- you have to CALL the SP:
... mysql_query("CALL eng_lookup('$ENG')";

Options: ReplyQuote


Subject
Views
Written By
Posted
Re: Newb needs help SQL Injection prevention
1053
June 27, 2012 10:57PM


Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.