> > on the contrary:
> > sql = mysql_query("select * from users where name='".$name."'");
> >
> > will simply look for a user with a name of "Jim; delete from users;" and
> > return no results found.
>
> But I can also enter:
> jim'; delete from users
>
> You need to catch if there's a quote in the $name too, and escape that.
One thing to remember is mysql_query() will execute just one (the first)
query so use of ; won't do anything in the above except break the
query. Still though the point is well taken, be sure to add slashes
(once) and put single quotes around the criteria ($name) and life will be
grand. Quotes around numerical values won't hurt (such as id = '$id')
although it's not required. If you choose not to do that then be sure
it's numerical before use (like cast it as an int, or check
is_numeric(), etc. ...). Some people check for ';' in the request
variable and if found yell at the user, that can be fun. bugs.php.net
does this.
In regards to the controversial magic_quotes_gpc PHP directive, I feel it
should remain on by default but if you know what you're doing then set it
yourself. Scripts that work everywhere should of course work perfectly
with it on or off. php.ini-dist (the default php.ini) has it on while the
php.ini-recommended has it off. You must know what you're doing to use
the 'recommended' version of php.ini. PHP is a newbie friendly language
and newbies are for the most part clueless and don't know what strings or
integers are, or why data should be escaped, or what data validation is or
why it's important. This is why magical quotes exist as without them
just think how many people would keep getting "malicious SQL" in their
code and blame PHP, or how seemingly random SQL syntax errors would crop
up. For these reasons dealing with "Why do I get \' everywhere????" type
questions is worth it, and why magic_quotes_gpc exists as a php.ini
directive.
Regards,
Philip
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
