Do *not* use hidden form statements or cookies to store any SQL this is
extremely dangerous and a relatively simple hack could destroy your database

By all means use hidden form fields to store row ID values but your PHP
scripts should treat all user input data via $_GET/$_POST/$_COOKIE/$_FILES
as hostile and you should be rigorous in validating that data coming into
your script is as you would expect...

Having said that it seems your server has magic_quotes_gpc() switched on -
this automatically escapes all incoming data that could upset a SQL query
i.e. the quotes - you can remove them by using stripslashes() or switch off
magic quotes in your php.ini file. But I would repeat *don't* continue down
the path you are going unless you like being hacked!

-----Original Message-----
From: Ken Nagorski [mailto:[EMAIL PROTECTED]]
Sent: 23 November 2002 11:52
Subject: [PHP] using cookies

Hi there,

I have never used cookies before, however I am trying to implement them to
make things a little more secure. Rather than passing a sql statement via a
hidden input tag I am setting a cookie. This works fine except that when I
look at the sql after it is pulled from the cookie everything is escaped,
for instance.

SELECT * FROM inventory WHERE name='Watches'
  would become
SELECT manufacturer FROM inventory WHERE name=\'Watches\'

This is a problem cause trying to use preg_replace doesn't seem to work. I
get an error saying that the delimeter must not be a \. What a bummer. I am
a little stuck. I will take any suggestions. Maybe I am just going about
things the wrong way. *** Shrug ***


PHP General Mailing List (
To unsubscribe, visit:

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to