Posts: 368
Threads: 24
Joined: Feb 2012
Title pretty much says it all.
I want to search users input for several characters (\, /, ', ; , --) and block it, this to avoid sql injection and other unwanted actions.
I tried this, but it gives error. (possibly non terminated string)
pawn Код:
strfind(string,"\",true) != -1)
How to make it work and in the best possible way?
Posts: 2,262
Threads: 260
Joined: Mar 2009
Reputation:
0
Use: strfind(text, "\", true);
or you could escape using the SQL Ecape function.
Posts: 368
Threads: 24
Joined: Feb 2012
I real escape every string, but it was brought to my attention that i should have extra protection.
I figured out the problem and its working now, but is there any better way to do this then using a bunch of strfind?
Posts: 368
Threads: 24
Joined: Feb 2012
I was told real escape was not enough and could be bypassed, and that i should check inputs to for certain characters. Im not the mysql expert here, im just trying to protect against sql injection from advice.
Posts: 7,801
Threads: 187
Joined: Feb 2010
Reputation:
0
I've tried injecting myself. It doesn't work.
Posts: 758
Threads: 7
Joined: Mar 2011
Reputation:
0
If you want to search for the backslash character, you might want to use this: (strfind(string,"\\",true) != -1)
This is because \ is used for several escape sequences. (Accessing special characters which aren't on your keyboard.)