That's what escapeshellcmd() is for - never ever trust user data. At minimum, I would 
always use addslashes() or the new mysql_real_escape_string() around every bit of user 
data if it's touching the db. At minimum, and in lieu of data validation that is 
really checking what the user entered (alpha plus spaces, hyphen, period, apostrophe 
only) I would do this:

$query = "Insert into members (name) values ('".addslashes($_POST['name'])."')";

-----Original Message-----
From:   Ed Lazor [mailto:[EMAIL PROTECTED]
Sent:   Mon 8/16/2004 10:06 AM
To:     'Torsten Roehr'; [EMAIL PROTECTED]
Subject:        RE: [PHP-DB] Re: Basic MySQL Query Question
Is it just me or is this a very bad thing from a security standpoint?  It
seems to me that user input should always be filtered before use.  Otherwise
there's nothing stopping a hacker from embedding sql into the value of the
name variable.

> -----Original Message-----
> Insert into members (name) values ($_POST['name']);

Reply via email to