Re: Sql injection attacks

> > That can be confirmed by setting $dbh->trace_level to something greater
> or equal
> > than 2 and looking at the Pg DBD driver's output.
>
>Shit, you're right.  The $dbh->quote() called for the placeholders
>escapes strings for INSERTing, but not for LIKE comparisons.  So this
>is one of the few places where using placeholders is not enough.
>
>At least my erroneous assumption can't be used for an SQL injection
>attack - you just get more results than you would get if you escape
>the wildcards by hand.

I've been reading this discussion and I asked myself whether you guys
remove/replace unwanted chars from strings you get from the web or not..

If you do remove them AFAIK it doesn't only prevent SQL injection but also XSS.



B.