> $my_val_a = addslashes($HTTP_POST_VARS["val_a"]);
> $my_val_b = addslashes($HTTP_POST_VARS["val_b"]);
> $query = "INSERT INTO foo (a,b) VALUES ($my_val_a,$my_val_b)";
> Or if you have magic_quotes_gpc turned on (the default) all vars
> in from forms/cookies are quoted and SQL injection is not possible.

Actually, this way you are not doing anything. By the format of your
INSERT statement, you are assuming that $my_val_a and $my_val_b are
numbers, since there are no quotes around them. Therefore addslashes()
does nothing to prevent the user from putting a value like --> 12,'bad
value')# <-- into $my_val_a and putting a bad value into the second

Now if you validate that the two are numbers, then you won't have this
problem. And if you are validating a string, yes then use addslashes(),
and the # won't be able to act as a comment, then.

---John Holmes... 

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to