> > You can still use extract($_POST).
> > It is as safe/vulernable as $_POST['isAdmin'].
> > In either case, use only variables that you know are yours and be
> > these contain values which you believe to be safe. For instance, if
> > a variable called $firstname to contain a name to be stored in a SQL
> > be certain it does not contain SQL commands which can damage your
> Okay, I know I can use strip_tags() and/or htmlspecialchars() to strip
> or modify HTML and PHP code in a string, but, how does one do the same
> MySQL code in a string to prevent tampering?
You pass a string or an number to your query. You have to make sure the
data you're passing is a string, or a number.
If you're expecting a number, and use a query like:
WHERE id = $id
Then make sure $id is a number. You can use is_int, or (int), or
If you're passing a string
WHERE username = '$name'
Then make sure $name has all single quotes escaped within it. If all of
them are escaped, then it's just a string and can't do any harm. If they
aren't escaped, then the user can break out of your own SQL and put
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php