http://www.ilovejackdaniels.com/article/writing-secure-php/Latest comments on Writing Secure PHP on ILoveJackDaniels.comhttp://www.ilovejackdaniels.com/article/writing-secure-php/comments/http://www.ilovejackdaniels.com/article/writing-secure-php/comments/Comment by mohamed rami ( <a href="http://">http://</a> )<br /><br />Thanks Alot for This Article ,its very <br />usefullhttp://www.ilovejackdaniels.com/article/writing-secure-php/comments/http://www.ilovejackdaniels.com/article/writing-secure-php/comments/Comment by Alex Tokar ( <a href="http://www.atokar.net/">http://www.atokar.net/</a> )<br /><br />Very nice article for new PHP developers.http://www.ilovejackdaniels.com/article/writing-secure-php/comments/http://www.ilovejackdaniels.com/article/writing-secure-php/comments/Comment by techguide ( <a href="http://http://www.devanggandhi.net/">http://http://www.devanggandhi.net/</a> )<br /><br />I am new to PHP and this was really helpfulhttp://www.ilovejackdaniels.com/article/writing-secure-php/comments/http://www.ilovejackdaniels.com/article/writing-secure-php/comments/Comment by zyber16 ( <a href="http://">http://</a> )<br /><br />Damn, I had that ' OR 1=1 # hole on my personal website, got it fixed thanks to this article :)http://www.ilovejackdaniels.com/article/writing-secure-php/comments/http://www.ilovejackdaniels.com/article/writing-secure-php/comments/Comment by Adaptiv Media ( <a href=""></a> )<br /><br />Thanks, the global variables section was a great help. Also grateful for your mod_rewrite article ;o)http://www.ilovejackdaniels.com/article/writing-secure-php/comments/http://www.ilovejackdaniels.com/article/writing-secure-php/comments/Comment by A. ( <a href=""></a> )<br /><br />Don't forget mysql_real_escape_string(), with it your script is protected against SQL injections. I even use it for session variables, you can never be too sure. <br /> <br />Great article by the way.http://www.ilovejackdaniels.com/article/writing-secure-php/comments/http://www.ilovejackdaniels.com/article/writing-secure-php/comments/Comment by Scott ( <a href=""></a> )<br /><br />@#55: <br /> <br />QUOTED: <br />What if this is your query: <br />SELECT * FROM users WHERE id = $_GET['id'] <br /> <br />It doesn't matter if this is escaped with addslashes, mysql_escape_string, mysql_real_escape_string, etc. If you enter "99 or union all select 0,0,0,0,0 from users", there is no slash to escape. This is a COMMON mistake and I can't believe no one has told you about this! The best method for handling strings may be addslashes or the like, but integers do not require quotations, thus your filtering system does not work. <br />END QUOTE <br /> <br />If your query had the single quotes around $_GET[id], you'd still be protected. Just because the data will be an integer, it doesn't mean you can't quote it, right?http://www.ilovejackdaniels.com/article/writing-secure-php/comments/http://www.ilovejackdaniels.com/article/writing-secure-php/comments/Comment by david Graves ( <a href="http://">http://</a> )<br /><br />This was a great article. I had an attack just two days ago and this helped me understand the attack and how to defend from it. I appreciate your taking the time to talk to us and share your knowledge. <br /> <br />I still have not located the print button??http://www.ilovejackdaniels.com/article/writing-secure-php/comments/http://www.ilovejackdaniels.com/article/writing-secure-php/comments/Comment by Hex ( <a href=""></a> )<br /><br />Why mysql_real_escape_string should be used rather than addslasshes: <br /> <br />http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-stringhttp://www.ilovejackdaniels.com/article/writing-secure-php/comments/http://www.ilovejackdaniels.com/article/writing-secure-php/comments/Comment by FiSh ( <a href="http://13337.org">http://13337.org</a> )<br /><br />I nearly gagged when I saw this: <br /> <br />"By checking for apostrophes in the items we enter into the database, and removing or neutralising them, we can prevent anyone from running their own SQL code on our database." <br /> <br />What if this is your query: <br />SELECT * FROM users WHERE id = $_GET['id'] <br /> <br />It doesn't matter if this is escaped with addslashes, mysql_escape_string, mysql_real_escape_string, etc. If you enter "99 or union all select 0,0,0,0,0 from users", there is no slash to escape. This is a COMMON mistake and I can't believe no one has told you about this! The best method for handling strings may be addslashes or the like, but integers do not require quotations, thus your filtering system does not work.