PHP version 5.0.0RC3 (cgi) (built: Jul 9 2004 13:18:24)
I'm just getting my feet wet with OO and have run into a problem that I'm
not familiar with...yet.
I have a class that does a database connection and query all together. It
all works nicely untiluntil my query has a word with quotes
, July 12, 2004 4:08 PM
To: [EMAIL PROTECTED]
Subject: [PHP] OO woes
Importance: High
PHP version 5.0.0RC3 (cgi) (built: Jul 9 2004 13:18:24)
I'm just getting my feet wet with OO and have run into a
problem that I'm not familiar with...yet.
I have a class that does a database
Message-
From: Matthew Sims [mailto:[EMAIL PROTECTED]
Sent: Monday, July 12, 2004 4:08 PM
To: [EMAIL PROTECTED]
Subject: [PHP] OO woes
Importance: High
PHP version 5.0.0RC3 (cgi) (built: Jul 9 2004 13:18:24)
I'm just getting my feet wet with OO and have run into a
problem that I'm
$query = 'INSERT into aeMail set test=\''.$_POST[test].'\'';
Your quotes look screwy to me. You seem to be missing both trailing single
quotes.
try this:
$query = 'INSERT into aeMail set test=\'''.$_POST[test].'\''';
At 01:07 PM 7/12/2004, Matthew Sims wrote:
PHP version 5.0.0RC3 (cgi) (built:
Your problem has nothing to do with the Objects (or really even PHP for
that matter). You're not supposed to run mysql_escape_string on an
entire query. Here's an example of its usage:
$sString = This string contains a single-quote (');
$sQuery = INSERT INTO mytable SET
Your problem has nothing to do with the Objects (or really even PHP for
that matter). You're not supposed to run mysql_escape_string on an
entire query.
Yup, you are correct, my bad.
So I ran my $_POST array into array_map before the injection:
$_POST = array_map(mysql_escape_string,$_POST);
Matthew Sims wrote:
Your problem has nothing to do with the Objects (or really even PHP for
that matter). You're not supposed to run mysql_escape_string on an
entire query.
So I ran my $_POST array into array_map before the injection:
$_POST = array_map(mysql_escape_string,$_POST);
And it all
7 matches
Mail list logo