Some really clever people in this topic told me that my site can still be vulnerable to SQL injection even if I escape all inputs with the mysql_real_escape_string() function: Only the registered members can see the link.

Unfortunately, they wont reply to me when asked to explain. Could someone tell me what I'm missing, because this would make all my sites vulnerable.

Some really clever people in this topic told me that my site can still be vulnerable to SQL injection even if I escape all inputs with the mysql_real_escape_string() function: Only the registered members can see the link.

Unfortunately, they wont reply to me when asked to explain. Could someone tell me what I'm missing, because this would make all my sites vulnerable.

I'm pretty sure mysql_real_escape_string() does the job.

If you're still worried, Only the registered members can see the link.

I believe it does it's job. But just to make sure, I add the escape string + my own small security. :)

I just used that program for any sql injections, and it found none, so you are good.

Some really clever people in this topic told me that my site can still be vulnerable to SQL injection even if I escape all inputs with the mysql_real_escape_string() function: Only the registered members can see the link.

Unfortunately, they wont reply to me when asked to explain. Could someone tell me what I'm missing, because this would make all my sites vulnerable.

They didn't reply, because you said you know more about it then I do. Lol Good Luck

No I didn't, I stated that you're safe from SQL injection if you use that function. If I was wrong, then you should explain your reasoning so I and others can learn from our mistakes.

No I didn't, I stated that you're safe from SQL injection if you use that function. If I was wrong, then you should explain your reasoning so I and others can learn from our mistakes.

You're not wrong. Look at this statement: $query = "SELECT * FROM users WHERE username = $name";
Lets say $name is a field. I simply type '; DROP TABLE users;' in for the name, and it will drop the users table.
Mysql_real_escape_string() simply removes any SQL command from the query.

You're not wrong. Look at this statement: $query = "SELECT * FROM users WHERE username = $name";
Lets say $name is a field. I simply type '; DROP TABLE users;' in for the name, and it will drop the users table.
Mysql_real_escape_string() simply removes any SQL command from the query.

Yeye that's what I thought. Thanks for clearing it up anyway, obviously people are trying to act smart by making outlandish statements with an element of mystery added to them.