Absolutely. It's not shell commands or php inserted in you should worry about, but altering of the queries. Someone putting the wrong characters into a query could cause the query to fail, or worse yet perform any operations on the database that the current user is allowed to (like delete from table).
mysql_escape_string is the function that escapes bad characters. It requires a buffer to put the new escaped string into, which should be at least twice as big as the original string (worst case scenario every character is escaped). There's also a mysql_real_escape_string, basically the same except it has support for unicode character sets and what not. mysql_escape_string exists in both the PHP and C interfaces to mysql. --Palrich. ----- Original Message ----- From: "Dale" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Wednesday, March 31, 2004 2:35 AM Subject: Processing text before sending it to mysql > Ok I know this isn't a MySQL mailing list, but the question pertains to rom > :P > > I was wonder is there a function that mysql has that I should run any of > like my descriptions or that threw before passing it off to the sql? > > Sort of like I have the mud smash_tilde any string that is going to be > placed into a pfile. > > Is there anything like that? I know theres one that will parse out any html > that my be laced in the string. > > I mean I might sound paranoid but I'm looking at it from this angle... I > plan to have my notes in a sql database, then I plan to have a website where > you could login and read your notes. Now what is to stop someone from > writing a note in the mud, lace it with their own php script that lets say > at worese case senario opens a pipe and they send to the shell a 'rm -rf *' > kind of command. Thats not going to be cute to see all that happen... So > does is there a library or what not that already parses this kind of stuff > out? Or would i have to make my own? > > > -- > ROM mailing list > [email protected] > http://www.rom.org/cgi-bin/mailman/listinfo/rom
