I agree, but they all provide some level of handling just might not be the
'most correct' way of handling it
bastien Subject: RE: [PHP] mysql input From: [EMAIL PROTECTED] To: [EMAIL
PROTECTED] CC: [EMAIL PROTECTED]; php-general@lists.php.net Date: Mon, 18 Feb
2008 23:31:21 -0500 On Mon
On Mon, February 18, 2008 10:05 pm, nihilism machine wrote:
I have a user saving a VARCHAR(255) field in a mysql db which has
single quotes in the text, how can i replace them so that they dont
fuck up my mysql command?
http://php.net/mysql_real_escape_string
Google for SQL injection for
On Mon, February 18, 2008 10:19 pm, Bastien Koert wrote:
mysql_real_escape_string()
Yes.
addslashes()
No, not right for different charsets. See above.
htmlentities()
Completely and wildly inappropriate.
Might as well use a cannon to slice a tomato.
--
Some people have a gift link here.
On Mon, 2008-02-18 at 23:05 -0500, nihilism machine wrote:
I have a user saving a VARCHAR(255) field in a mysql db which has
single quotes in the text, how can i replace them so that they dont
fuck up my mysql command?
mysql_real_escape_string()
Cheers,
Rob.
--
On Mon, 2008-02-18 at 23:19 -0500, Bastien Koert wrote:
mysql_real_escape_string()
addslashes()
htmlentities()
take your pick
That's a bad answer. If he's using MySQL then he SHOULD use
mysql_real_escape_string(). None of the other functions will fully
protect him from malicious input.
mysql_real_escape_string()
addslashes()
htmlentities()
take your pick
bastien
From: [EMAIL PROTECTED] To: php-general@lists.php.net Date: Mon, 18 Feb
2008 23:05:10 -0500 Subject: [PHP] mysql input I have a user saving a
VARCHAR(255) field in a mysql db which has single quotes in the
6 matches
Mail list logo