Why can't SQL change so that injection attacks are no longer possible?
People there were referring to the example of getting through the value escaping. It works like this:
$iId = mysql_real_escape_string("1 OR 1=1"); $sSql = "SELECT * FROM table WHERE id = $iId";
Well, this could easily be fixed by converting the variable to int before using it, but it's easy to forget. They also give examples of the Unicode character sets getting mishandled, and of using the wrong kind of quotes in the query.
- $sSql = "SELECT * FROM table WHERE id = " + sanitize_int("1 OR 1=1");
- $sSql = sql_q("SELECT * FROM table WHERE id = ") + sql_int($arg);