\[quote\] Possible Duplicate:
Are mysql_real_escape_string() and mysql_escape_string() sufficient for app security? \[/quote\]So basically I have a qryName in the URLeg: mysite.com/qryName=WHAT\[code\]if (isset($_GET['qryName'])){ $qryName = mysql_real_escape_string(filter($_GET['qryName']));}$urldata = http://stackoverflow.com/questions/10553241/mysql_fetch_assoc(mysql_query("SELECT * FROM gangs WHERE ShortName = '" . $qryName . "' LIMIT 1"));\[/code\]$urldata is the code so it pretty much selects from the database. Note that in the database, the qryName has no spaces, special chars etc..Just wondering if that is exploitable?
Are mysql_real_escape_string() and mysql_escape_string() sufficient for app security? \[/quote\]So basically I have a qryName in the URLeg: mysite.com/qryName=WHAT\[code\]if (isset($_GET['qryName'])){ $qryName = mysql_real_escape_string(filter($_GET['qryName']));}$urldata = http://stackoverflow.com/questions/10553241/mysql_fetch_assoc(mysql_query("SELECT * FROM gangs WHERE ShortName = '" . $qryName . "' LIMIT 1"));\[/code\]$urldata is the code so it pretty much selects from the database. Note that in the database, the qryName has no spaces, special chars etc..Just wondering if that is exploitable?