In the case that your comparing a field to a field in the database (the
field name)
do you escape that or because it is hardcoded you dont need to?
My thoughts are that you need to escape all data going in.
Correct. A field name is not data though. You've already validated it
(somehow, either
On Aug 22, 2010, at 7:12 PM, Chris wrote:
On 20/08/10 08:05, Karl DeSaulniers wrote:
On Aug 19, 2010, at 4:44 PM, Karl DeSaulniers wrote:
On Aug 19, 2010, at 4:36 PM, Daevid Vincent wrote:
You should be using
http://us2.php.net/manual/en/function.mysql-escape-string.php
You don't need
You use mysql_real_escape_string for queries on the way in.
$query = select * from table where
name='.mysql_real_escape_string($_POST['name']).';
You use htmlspecialchars on the way out:
$value = htmlspecialchars($row['name']);
--
Postgresql php tutorials
http://www.designmagick.com/
--
On Aug 23, 2010, at 8:35 PM, Chris wrote:
You use mysql_real_escape_string for queries on the way in.
$query = select * from table where
name='.mysql_real_escape_string($_POST['name']).';
You use htmlspecialchars on the way out:
$value = htmlspecialchars($row['name']);
--
Postgresql
To be more specific. Is this correct?
function confirmUP($username, $password){
$username = mysql_real_escape_string($username);
/* Verify that user is in database */
$q = SELECT password FROM TBL-U WHERE username = '$username';
I normally do it in the query in case you use the variable
On Aug 23, 2010, at 9:31 PM, Chris wrote:
To be more specific. Is this correct?
function confirmUP($username, $password){
$username = mysql_real_escape_string($username);
/* Verify that user is in database */
$q = SELECT password FROM TBL-U WHERE username = '$username';
I normally do it
On Aug 23, 2010, at 10:04 PM, Karl DeSaulniers wrote:
On Aug 23, 2010, at 9:31 PM, Chris wrote:
To be more specific. Is this correct?
function confirmUP($username, $password){
$username = mysql_real_escape_string($username);
/* Verify that user is in database */
$q = SELECT password FROM
Just to make sure, cause I am ready to get past this.
Is this correct?
function confirmUP($username, $password){
/* Verify that user is in database */
$q = SELECT password FROM .TBL_USERS. WHERE username =
'.mysql_real_escape_string($username).';
Perfect.
/* Retrieve password from result
On Aug 23, 2010, at 10:35 PM, Chris wrote:
Just to make sure, cause I am ready to get past this.
Is this correct?
function confirmUP($username, $password){
/* Verify that user is in database */
$q = SELECT password FROM .TBL_USERS. WHERE username =
'.mysql_real_escape_string($username).';
Got it. So only when I am going to diplay the result from the database.
I see.
Or email (or otherwise present it to the user), yes.
But for comparing $dbarray['password'] to $password, don't I have to
escape $password and then md5 it?
Right.
--
Postgresql php tutorials
On Aug 23, 2010, at 11:38 PM, Karl DeSaulniers wrote:
On Aug 23, 2010, at 10:35 PM, Chris wrote:
Just to make sure, cause I am ready to get past this.
Is this correct?
function confirmUP($username, $password){
/* Verify that user is in database */
$q = SELECT password FROM .TBL_USERS.
On 20/08/10 08:05, Karl DeSaulniers wrote:
On Aug 19, 2010, at 4:44 PM, Karl DeSaulniers wrote:
On Aug 19, 2010, at 4:36 PM, Daevid Vincent wrote:
You should be using
http://us2.php.net/manual/en/function.mysql-escape-string.php
You don't need to search with extra slashes for retrieval.
You should be using
http://us2.php.net/manual/en/function.mysql-escape-string.php
You don't need to search with extra slashes for retrieval.
-Original Message-
From: Karl DeSaulniers [mailto:k...@designdrumm.com]
Sent: Thursday, August 19, 2010 2:29 PM
To: php-db@lists.php.net
On Aug 19, 2010, at 4:36 PM, Daevid Vincent wrote:
You should be using
http://us2.php.net/manual/en/function.mysql-escape-string.php
You don't need to search with extra slashes for retrieval.
-Original Message-
From: Karl DeSaulniers [mailto:k...@designdrumm.com]
Sent: Thursday,
On Aug 19, 2010, at 4:36 PM, Daevid Vincent wrote:
You should be using
http://us2.php.net/manual/en/function.mysql-escape-string.php
You don't need to search with extra slashes for retrieval.
-Original Message-
From: Karl DeSaulniers [mailto:k...@designdrumm.com]
Sent: Thursday,
On Aug 19, 2010, at 4:44 PM, Karl DeSaulniers wrote:
On Aug 19, 2010, at 4:36 PM, Daevid Vincent wrote:
You should be using
http://us2.php.net/manual/en/function.mysql-escape-string.php
You don't need to search with extra slashes for retrieval.
-Original Message-
From: Karl
I think you should use prepared statements.
Kapu
--
From: Karl DeSaulniers k...@designdrumm.com
Sent: Friday, August 20, 2010 12:05 AM
To: php-db@lists.php.net
Subject: Re: [PHP-DB] Slashes or no slashes
On Aug 19, 2010, at 4:44 PM, Karl
: Friday, August 20, 2010 12:05 AM
To: php-db@lists.php.net
Subject: Re: [PHP-DB] Slashes or no slashes
On Aug 19, 2010, at 4:44 PM, Karl DeSaulniers wrote:
On Aug 19, 2010, at 4:36 PM, Daevid Vincent wrote:
You should be using
http://us2.php.net/manual/en/function.mysql-escape-string.php
You don't
18 matches
Mail list logo
