In the case that your comparing a field to a field in the database (the
field name)
do you escape that or because it is hardcoded you dont need to?
My thoughts are that you need to escape all data going in.
Correct. A field name is not data though. You've already validated it
(somehow, either
On Aug 23, 2010, at 11:38 PM, Karl DeSaulniers wrote:
On Aug 23, 2010, at 10:35 PM, Chris wrote:
Just to make sure, cause I am ready to get past this.
Is this correct?
function confirmUP($username, $password){
/* Verify that user is in database */
$q = "SELECT password FROM ".TBL_USERS."
Got it. So only when I am going to diplay the result from the database.
I see.
Or email (or otherwise present it to the user), yes.
But for comparing $dbarray['password'] to $password, don't I have to
escape $password and then md5 it?
Right.
--
Postgresql & php tutorials
http://www.design
On Aug 23, 2010, at 10:35 PM, Chris wrote:
Just to make sure, cause I am ready to get past this.
Is this correct?
function confirmUP($username, $password){
/* Verify that user is in database */
$q = "SELECT password FROM ".TBL_USERS." WHERE username =
'".mysql_real_escape_string($username)."
Just to make sure, cause I am ready to get past this.
Is this correct?
function confirmUP($username, $password){
/* Verify that user is in database */
$q = "SELECT password FROM ".TBL_USERS." WHERE username =
'".mysql_real_escape_string($username)."'";
Perfect.
/* Retrieve password from res
On Aug 23, 2010, at 10:04 PM, Karl DeSaulniers wrote:
On Aug 23, 2010, at 9:31 PM, Chris wrote:
To be more specific. Is this correct?
function confirmUP($username, $password){
$username = mysql_real_escape_string($username);
/* Verify that user is in database */
$q = "SELECT password FROM
On Aug 23, 2010, at 9:31 PM, Chris wrote:
To be more specific. Is this correct?
function confirmUP($username, $password){
$username = mysql_real_escape_string($username);
/* Verify that user is in database */
$q = "SELECT password FROM TBL-U WHERE username = '$username'";
I normally do it
To be more specific. Is this correct?
function confirmUP($username, $password){
$username = mysql_real_escape_string($username);
/* Verify that user is in database */
$q = "SELECT password FROM TBL-U WHERE username = '$username'";
I normally do it in the query in case you use the variable so
On Aug 23, 2010, at 8:35 PM, Chris wrote:
You use mysql_real_escape_string for queries on the way in.
$query = "select * from table where
name='".mysql_real_escape_string($_POST['name'])."'";
You use htmlspecialchars on the way out:
$value = htmlspecialchars($row['name']);
--
Postgresql
You use mysql_real_escape_string for queries on the way in.
$query = "select * from table where
name='".mysql_real_escape_string($_POST['name'])."'";
You use htmlspecialchars on the way out:
$value = htmlspecialchars($row['name']);
--
Postgresql & php tutorials
http://www.designmagick.com/
need to search with extra slashes for retrieval.
-Original Message-
From: Karl DeSaulniers [mailto:k...@designdrumm.com]
Sent: Thursday, August 19, 2010 2:29 PM
To: php-db@lists.php.net
Subject: [PHP-DB] Slashes or no slashes
Hello,
When I add an item to my database and I use addslashes(),
ieval.
-Original Message-
From: Karl DeSaulniers [mailto:k...@designdrumm.com]
Sent: Thursday, August 19, 2010 2:29 PM
To: php-db@lists.php.net
Subject: [PHP-DB] Slashes or no slashes
Hello,
When I add an item to my database and I use addslashes(),
do I have to use addslashes() to a query
:
Subject: Re: [PHP-DB] Slashes or no slashes
On Aug 19, 2010, at 4:44 PM, Karl DeSaulniers wrote:
On Aug 19, 2010, at 4:36 PM, Daevid Vincent wrote:
You should be using
http://us2.php.net/manual/en/function.mysql-escape-string.php
You don't need to search with extra slashe
I think you should use prepared statements.
Kapu
--
From: "Karl DeSaulniers"
Sent: Friday, August 20, 2010 12:05 AM
To:
Subject: Re: [PHP-DB] Slashes or no slashes
On Aug 19, 2010, at 4:44 PM, Karl DeSaulniers wrote:
On Aug 19,
Karl DeSaulniers [mailto:k...@designdrumm.com]
Sent: Thursday, August 19, 2010 2:29 PM
To: php-db@lists.php.net
Subject: [PHP-DB] Slashes or no slashes
Hello,
When I add an item to my database and I use addslashes(),
do I have to use addslashes() to a query that looks for that item?
Or would I be a
rsday, August 19, 2010 2:29 PM
To: php-db@lists.php.net
Subject: [PHP-DB] Slashes or no slashes
Hello,
When I add an item to my database and I use addslashes(),
do I have to use addslashes() to a query that looks for that item?
Or would I be adding double slashes and canceling my own result?
TIA
rsday, August 19, 2010 2:29 PM
To: php-db@lists.php.net
Subject: [PHP-DB] Slashes or no slashes
Hello,
When I add an item to my database and I use addslashes(),
do I have to use addslashes() to a query that looks for that item?
Or would I be adding double slashes and canceling my own result?
TIA
-db@lists.php.net
> Subject: [PHP-DB] Slashes or no slashes
>
> Hello,
> When I add an item to my database and I use addslashes(),
> do I have to use addslashes() to a query that looks for that item?
> Or would I be adding double slashes and canceling my own result?
> TIA
>
Hello,
When I add an item to my database and I use addslashes(),
do I have to use addslashes() to a query that looks for that item?
Or would I be adding double slashes and canceling my own result?
TIA
Karl DeSaulniers
Design Drumm
http://designdrumm.com
On Thursday 11 December 2003 17:27, Ng Hwee Hwee wrote:
> can I know when does the magic_quotes_gpc start adding slashes and
> stripping slashes?
magic_quotes_gpc is for incoming GET/POST/Cookie data (NB it does not strip
slashes) ...
> I removed my EscapeShellCmd and my data is inserted and re
Hi,
can I know when does the magic_quotes_gpc start adding slashes and stripping slashes?
I removed my EscapeShellCmd and my data is inserted and retrieved from the database
just as i wanted. The problem now comes when I retrieve that data and immediately
inserted them into another table.. then
Ng Hwee Hwee wrote:
just a quick question.. does it mean, i don't have to worry that my user may
type any commands in my text field that may hurt my system since
magic_quotes_gpc is on?
Heh...of course not. :) All magic_quotes is going to do for you is
escape quotes within your text. This will he
y
type any commands in my text field that may hurt my system since
magic_quotes_gpc is on?
- Original Message -
From: "John W. Holmes" <[EMAIL PROTECTED]>
To: "Ng Hwee Hwee" <[EMAIL PROTECTED]>
Cc: "DBList" <[EMAIL PROTECTED]>
Sent: Wednesday
Ng Hwee Hwee wrote:
$value = trim(EscapeShellCmd($fieldName));
and then i do a $query= "insert into table set name='$value'";
i swear i did not add any slashes twice (at least for what i know!!).. is
there another way that i could have addslashes twice without my knowing??
Heh... look at the outp
Hi John,
thanx!...
HH > but why is it that I still get a backslash
HH > before an occurrence of a single-quote?
HH > for example,
HH >
HH > where $fieldName is retrieved from the database through:
JH > Maybe magic_quotes_runtime is enabled? It will add slashes to data from
JH > files and databa
Ng Hwee Hwee wrote:
> but why is it that I still get a backslash
> before an occurrence of a single-quote?
for example,
where $fieldName is retrieved from the database through:
Maybe magic_quotes_runtime is enabled? It will add slashes to data from
files and databases. Bottom line, if you actual
hi all,
i need help on my slashes.. i saw php.net say:
"Do not use addslashes() on strings that have already been escaped with
magic_quotes_gpc as you'll then do double escaping."
with that, i also did not do a stripslashes when i retrieve my data, since my
magic_quotes_gpc is on.. but why is
27 matches
Mail list logo