AnonTalk BBS — Discuss anything anonymously without registration.
Anonymous 817cdf0933ea5cd68e78d23f3ed21d8b started this discussion 3 months (2008-08-20 08:58:46 UTC) ago:
Is it more secure to surround certain parts of SQL using ‘ instead of '? If not, why do some people do this?
For example: "SELECT * FROM users WHERE `username` = $username AND `password` = $db_password""
Advertisement: Play some chess! See if you can outsmart the artificial intelligence…
Anonymous 817cdf0933ea5cd68e78d23f3ed21d8b (OP) replied with this 3 months (2008-08-20 09:00:35 UTC) ago, 2 minutes later (#52,362):
Yes, I made some obvious errors in my post. I meant ` instead of '.
Anonymous 1dc8f8ee7da8dc4ae669914f81a51c37 replied with this 3 months (2008-08-20 09:02:56 UTC) ago, 2 minutes later (#52,363):
then instead of and
Anonymous 817cdf0933ea5cd68e78d23f3ed21d8b (OP) replied with this 3 months (2008-08-20 09:06:05 UTC) ago, 3 minutes later (#52,364):
Anonymous 7d7f232f383027dcc49123d27335ea4a replied with this 3 months (2008-08-20 19:20:08 UTC) ago, 10 hours later (#52,553):
I use backticks ` for table and column names because they are internal names
and single quotes ' for string constants, and are variables.
Either way everything is escaped and I see no reason why such statements would be vulnerable to injection attacks.
Anonymous a618aed77cc853ed965f21ecb594f832 replied with this 3 months (2008-08-20 21:04:54 UTC) ago, 2 hours later (#52,630):
A better sysntax would to run all your variables through an injection function to search for injections.
Run the checks before you even query your database.
Proper SQL syntax uses backticks, also if you do not use it with certain table/row names you can get errors. I have run across problems using "id" . Most fo the time if you name a variable the same thing, etc you can run into problems. Also phpmyadmin uses backticks and a lot of beginners use phpmyadmin to learn SQL querying and that is one big reason for it.
© AnonTalk.com 2008