MYSQL - What all do I need to escape when sending a (My)SQL query?

When you execute a SQL query, you have to clean your 'strings' or users can execute malicious SQL on your website.

I usually just have a function escape_string(blah), which:

Replaces escapes () with double escapes (\).
Replaces single quotes (') with an escaped single quote (\').

Is this adequate? Is there a hole in my code? Speedy library to reliably do this for me?

I'd like to see graceful solutions in:

Perl
Java
PHP

This question and answers originated from www.stackoverflow.com

Question by superjoe30 (8/5/2008 6:45:46 PM)

Answer

For maximum security, performance, and correctness use prepared statements. Here's how to do this with lots of examples in different languages, including PHP:

http://efreedom.com/Question/1-1973/what-is-the-best-way-to-avoid-sql-injection-attacks

Answer by Mark Harrison

Show Additional Answers >>

Find More Answers

Related Questions

Do I need to escape characters when sending emails?
I'm using Django Contact Form on a website to allow visitors to send emails. Currently, it's escaping characters, so single and double quotation marks are converted to ' and " re…
Should I use PDO to sanitize my Sql queries or is "mysql_real_escape_string" enough?
I have a simple classifieds website... Classifieds are inserted into MySql tables and the only thing I use to sanitize user input is mysql_real_escape_string . Is this enough? The PDO is th…
Do I need to Escape a Subquery?
I have a SQL query that goes like this: UPDATE User SET flag='Y' WHERE email=(SELECT email FROM Forum WHERE id='$id'); Because the email address can consist of single quotes and some special …
what mysql query should i use to select a category that matches ALL my criteria?
i have the following data in my table called cat_product cat_id product_id 1 2 1 3 2 2 2 4 If given a set of values for product_id (2,3) i want to know the unique cat_id. In t…
Zend - Do I need to use quote() when inserting/updating?
I'm developing an application that allows users to input into VARCHAR(255) fields in mySQL, so security is a major concern. I am having trouble understanding quote(). If I use quote('test'), the …
What do I need to know when going from MS SQL server to MySQL
I've been trying to specialize into the MS SQL server technologies, but my job has required me to understand more MySQL recently. Has any MS SQL DBA or developer had to do this, and if so, what were…
Do I need to make one sql query for each keyword in a text?
I am working on a content rewriter, basically it will replace words with their synonyms. I have the synonms in a mySQL database, the table contains 3 columns id int(11) keyword varchar(50…
Found a weak escape function for MySql, how to exploit?
In an application I'm working on I've found a weak escape function to prevent injection. I'm trying to prove this, but I'm having trouble coming up with a simple example. The escape function work…
Do I need to use mysql_real_escape_string on all form inputs?
I know I need to use them on user input fields such as a username entry field, but what about for radio buttons such as a gender option?
How is this MySQL query vulnerable to SQL injection?
In a comment on a previous question, someone said that the following sql statement opens me up to sql injection: select ss.*, se.name as engine, ss.last_run_at + interval ss.refresh_frequency …