Eric Butera wrote:



So here's some examples of bad behavior.

= Database =
Bad:
$name = mysql_real_escape_string($_POST['name'], $link);
myql_query("INSERT INTO foo (`name`) VALUES ('". $name ."')");

$name now contains slashes which means it is corrupt and not able to
be echo'd without a stripslashes.  You should never have to call
stripslashes.  If you do, you're doing it wrong.

No, you are not doing it wrong.
You are just doing it a different way.
It's a lot easier to audit your code if you clean the input when you eat the POST.

You should never echo a variable you haven't cleaned anyway because of reflection attacks. Clean it at input and you when auditing you code, you look for _POST and make sure you set the variable you use to the output of running the _POST through your filter.

As far as having "Bill O\'Really" in your output, that doesn't happen if you get your output from the database that "Bill O'Really" was inserted into, as the escape has already served its purpose.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to