> > You can still use extract($_POST).
> > It is as safe/vulernable as $_POST['isAdmin'].
> >
> > In either case, use only variables that you know are yours and be
> certain
> > these contain values which you believe to be safe. For instance, if
> expect
> > a variable called $firstname to contain a name to be stored in a SQL
> database,
> > be certain it does not contain SQL commands which can damage your
> database.
> >
> Okay, I know I can use strip_tags() and/or htmlspecialchars() to strip
> or modify HTML and PHP code in a string, but, how does one do the same
> with
> MySQL code in a string to prevent tampering?

You pass a string or an number to your query. You have to make sure the
data you're passing is a string, or a number. 

If you're expecting a number, and use a query like:

WHERE id = $id

Then make sure $id is a number. You can use is_int, or (int), or

If you're passing a string

WHERE username = '$name'

Then make sure $name has all single quotes escaped within it. If all of
them are escaped, then it's just a string and can't do any harm. If they
aren't escaped, then the user can break out of your own SQL and put
their own.

---John Holmes...

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to