Exploiting 'INSERT INTO' SQL Injections Ninja Style

The fact that this article got any up votes, let alone 31, is a testament to how many non-programmers read this board. Like InclinedPlane said, Sanitizing database input is database 101. You can't even call yourself a hobbyist programmer until you understand that.<p>For non-technical people: If someone is building you a website, put a single backslash(and only that) in any text fields on your site. If it breaks when you submit, chances are good there is potential for SQL-injection. This is not a 100% check that will catch everything, heck it's not even a 70% check. But a poor programmer that doesn't know anything about SQL-injection will likely build code that fails this test.

This is not exploiting INSERT INTO; it's exploiting horrible developers.<p>Rule #1: Never trust the user.

This is sort of interesting, but I'm not sure how it applies to non-black hats. If you are responsible for this code just switch it all to mysqli and be done with it.

In 2011, one should never need to resort to building SQL with string concatenation in web applications.<p>If you are on Python, consider using SQLAlchemy or OurSQL. If you are on PHP, consider using Doctrine, Propel, or PDO.

I thought they were phasing these functions out (mysql)? I've been using PDO for the last couple of years.

is it works also with prepared statements ? or only with really lame code ?

Escape your strings. Ninja problem solved.