2009/4/21 Chris :
>
How does one deal with that? Do you use mysql_real_escape_string?
e.g.
>>> $db_host = 'localhost';
$db_user = 'auser';
$db_pwd = 'apassword';
$database = 'adatabase';
$table = 'authorBook';
if (!mysql_connect($db_host, $db_user,
How does one deal with that? Do you use mysql_real_escape_string?
e.g.
Inputs are user supplied.
Are you saying that I don't need to sanitize the variables above -
$db_host, $db_user, $db_pwd, $database, $table ?
No - they are essentially hardcoded.
A user (through a form or any other
Bastien Koert wrote:
> On Wed, Feb 18, 2009 at 8:34 AM, PJ wrote:
>
>
>> To focus on mysql_real_escape_string, I am recapping... questions below
>> QUOTE:==
>> Instead of doing this (for an imaginary table):
>> $sql = "insert into table1(field1, field2) values ('$value1', '$value2')";
>
Actually no; you said "You only need to escape data coming from a user
going in to your database."
Using a known variable in my app is not going to cause an sql injection
problem.
switch ($value) {
case 'x':
$my_field = 1;
break;
default:
$my_field = 0;
}
an insert here with
Kyle Terry wrote:
On Wed, Mar 4, 2009 at 6:55 PM, Chris wrote:
Eric Butera wrote:
On Wed, Mar 4, 2009 at 8:18 PM, Chris wrote:
You only need to escape data coming from a user going in to your
database.
If you put user input into your database and pull it back out, it's
still raw user in
On Wed, Mar 4, 2009 at 6:55 PM, Chris wrote:
> Eric Butera wrote:
>
>> On Wed, Mar 4, 2009 at 8:18 PM, Chris wrote:
>>
>>> You only need to escape data coming from a user going in to your
>>> database.
>>>
>>
>> If you put user input into your database and pull it back out, it's
>> still raw use
Eric Butera wrote:
On Wed, Mar 4, 2009 at 8:18 PM, Chris wrote:
You only need to escape data coming from a user going in to your database.
If you put user input into your database and pull it back out, it's
still raw user input. Never trust any piece of data ever, whether it
comes from a sup
On Wed, Mar 4, 2009 at 6:27 PM, Eric Butera wrote:
> On Wed, Mar 4, 2009 at 8:54 PM, Michael A. Peters wrote:
> > Eric Butera wrote:
> >
> >>
> >> So here's some examples of bad behavior.
> >>
> >> = Database =
> >> Bad:
> >> $name = mysql_real_escape_string($_POST['name'], $link);
> >> myql_que
On Wed, Mar 4, 2009 at 8:54 PM, Michael A. Peters wrote:
> Eric Butera wrote:
>
>>
>> So here's some examples of bad behavior.
>>
>> = Database =
>> Bad:
>> $name = mysql_real_escape_string($_POST['name'], $link);
>> myql_query("INSERT INTO foo (`name`) VALUES ('". $name ."')");
>>
>> $name now co
On Wed, Mar 4, 2009 at 8:18 PM, Chris wrote:
> You only need to escape data coming from a user going in to your database.
If you put user input into your database and pull it back out, it's
still raw user input. Never trust any piece of data ever, whether it
comes from a superglobal OR within yo
Eric Butera wrote:
So here's some examples of bad behavior.
= Database =
Bad:
$name = mysql_real_escape_string($_POST['name'], $link);
myql_query("INSERT INTO foo (`name`) VALUES ('". $name ."')");
$name now contains slashes which means it is corrupt and not able to
be echo'd without a strips
PJ wrote:
Sorry, but I have been waylaid by other posts... :'(
and have not had the opportunity to finish my quest and I posted to
mysql but they are not very helpful
I see I was not very clear below and will annotate below.
But the problem is still there, I cannot figure out how to sanitize
On Wed, Mar 4, 2009 at 8:04 PM, PJ wrote some stuff...
You should do a little reading on some of the keywords that have been presented.
Specifically you don't sanitize a value into your db. You escape it.
Prepared statements are a way of doing this that makes it a bit harder
to mess up. You ha
Sorry, but I have been waylaid by other posts... :'(
and have not had the opportunity to finish my quest and I posted to
mysql but they are not very helpful
I see I was not very clear below and will annotate below.
But the problem is still there, I cannot figure out how to sanitize with
mysql_r
On Wed, Feb 18, 2009 at 8:34 AM, PJ wrote:
> To focus on mysql_real_escape_string, I am recapping... questions below
> QUOTE:==
> Instead of doing this (for an imaginary table):
> $sql = "insert into table1(field1, field2) values ('$value1', '$value2')";
>
> do
> $sql = "insert into table1
On Wed, Feb 18, 2009 at 8:34 AM, PJ wrote:
> To focus on mysql_real_escape_string, I am recapping... questions below
> QUOTE:==
> Instead of doing this (for an imaginary table):
> $sql = "insert into table1(field1, field2) values ('$value1', '$value2')";
>
> do
> $sql = "insert into table
16 matches
Mail list logo
