I know that mysql_real_escape_string()
prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1aI know how this protects a query from injection into something like a variable in a where clause. But here's a scenario I am unsure of:\[code\]$query = "SELECT * FROM $db WHERE 1";\[/code\]If $db is taken from a user input, then the user could insert something like:
$db = \[code\]'RealDatabase WHERE 1; DELETE FROM RealDatabase WHERE 1; SELECT FROM RealDatabase'\[/code\]; From my understanding, mysql_real_escape_string() would not affect this string,making the final query:\[code\]$query = "SELECT * FROM RealDatabase WHERE 1; DELETE FROM RealDatabase WHERE 1; SELECT FROM RealDatabase WHERE 1";\[/code\]which would delete the database. Is there another level of protection I am unaware of?
prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1aI know how this protects a query from injection into something like a variable in a where clause. But here's a scenario I am unsure of:\[code\]$query = "SELECT * FROM $db WHERE 1";\[/code\]If $db is taken from a user input, then the user could insert something like:
$db = \[code\]'RealDatabase WHERE 1; DELETE FROM RealDatabase WHERE 1; SELECT FROM RealDatabase'\[/code\]; From my understanding, mysql_real_escape_string() would not affect this string,making the final query:\[code\]$query = "SELECT * FROM RealDatabase WHERE 1; DELETE FROM RealDatabase WHERE 1; SELECT FROM RealDatabase WHERE 1";\[/code\]which would delete the database. Is there another level of protection I am unaware of?