Home/ Questions/Q 6747819
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T12:29:26+00:00

Given 1000s mysql queries in string format, could there be a way to analyze

  • 0

Given 1000s mysql queries in string format, could there be a way to analyze and remove any SQL injections from these strings before running the query?

one idea i had was to check the string for common words/phrases that are used in an sql injection which are never used in the application running the queries. If found, don’t run the query and alert the admins.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    mySQL encourages the use of mysql_real_escape_string to sanitize queries.

    Escapes special characters in the unescaped_string, taking into
    account the current character set of the connection so that it is safe
    to place it in a mysql_query(). If binary data is to be inserted, this
    function must be used.

    mysql_real_escape_string() calls MySQL’s library function
    mysql_real_escape_string, which prepends backslashes to the following
    characters: \x00, \n, \r, \, ‘, ” and \x1a.

    This function must always (with few exceptions) be used to make data
    safe before sending a query to MySQL.

    PS: Here’s a good answer to the addslashes/mysql_real_escape_string debate: http://www.sitepoint.com/forums/showthread.php?337881-addslashes()-vs-mysql_real_escape_string()…the-final-debate&s=7cabb6e5fd909f2c787d47cd01471dfb&p=2439889&viewfull=1#post2439889

    • 0