2009/4/21 Chris dmag...@gmail.com:
How does one deal with that? Do you use mysql_real_escape_string?
e.g.
?php
$db_host = 'localhost';
$db_user = 'auser';
$db_pwd = 'apassword';
$database = 'adatabase';
$table = 'authorBook';
if (!mysql_connect($db_host, $db_user, $db_pwd))
Bastien Koert wrote:
On Wed, Feb 18, 2009 at 8:34 AM, PJ af.gour...@videotron.ca wrote:
To focus on mysql_real_escape_string, I am recapping... questions below
QUOTE:==
Instead of doing this (for an imaginary table):
$sql = insert into table1(field1, field2) values ('$value1',
How does one deal with that? Do you use mysql_real_escape_string?
e.g.
?php
$db_host = 'localhost';
$db_user = 'auser';
$db_pwd = 'apassword';
$database = 'adatabase';
$table = 'authorBook';
if (!mysql_connect($db_host, $db_user, $db_pwd))
die(Can't connect to database);
if
Sorry, but I have been waylaid by other posts... :'(
and have not had the opportunity to finish my quest and I posted to
mysql but they are not very helpful
I see I was not very clear below and will annotate below.
But the problem is still there, I cannot figure out how to sanitize with
On Wed, Mar 4, 2009 at 8:04 PM, PJ af.gour...@videotron.ca wrote some stuff...
You should do a little reading on some of the keywords that have been presented.
Specifically you don't sanitize a value into your db. You escape it.
Prepared statements are a way of doing this that makes it a bit
PJ wrote:
Sorry, but I have been waylaid by other posts... :'(
and have not had the opportunity to finish my quest and I posted to
mysql but they are not very helpful
I see I was not very clear below and will annotate below.
But the problem is still there, I cannot figure out how to sanitize
Eric Butera wrote:
So here's some examples of bad behavior.
= Database =
Bad:
$name = mysql_real_escape_string($_POST['name'], $link);
myql_query(INSERT INTO foo (`name`) VALUES ('. $name .'));
$name now contains slashes which means it is corrupt and not able to
be echo'd without a
On Wed, Mar 4, 2009 at 8:18 PM, Chris dmag...@gmail.com wrote:
You only need to escape data coming from a user going in to your database.
If you put user input into your database and pull it back out, it's
still raw user input. Never trust any piece of data ever, whether it
comes from a
On Wed, Mar 4, 2009 at 8:54 PM, Michael A. Peters mpet...@mac.com wrote:
Eric Butera wrote:
So here's some examples of bad behavior.
= Database =
Bad:
$name = mysql_real_escape_string($_POST['name'], $link);
myql_query(INSERT INTO foo (`name`) VALUES ('. $name .'));
$name now contains
On Wed, Mar 4, 2009 at 6:27 PM, Eric Butera eric.but...@gmail.com wrote:
On Wed, Mar 4, 2009 at 8:54 PM, Michael A. Peters mpet...@mac.com wrote:
Eric Butera wrote:
So here's some examples of bad behavior.
= Database =
Bad:
$name = mysql_real_escape_string($_POST['name'], $link);
Eric Butera wrote:
On Wed, Mar 4, 2009 at 8:18 PM, Chris dmag...@gmail.com wrote:
You only need to escape data coming from a user going in to your database.
If you put user input into your database and pull it back out, it's
still raw user input. Never trust any piece of data ever, whether
On Wed, Mar 4, 2009 at 6:55 PM, Chris dmag...@gmail.com wrote:
Eric Butera wrote:
On Wed, Mar 4, 2009 at 8:18 PM, Chris dmag...@gmail.com wrote:
You only need to escape data coming from a user going in to your
database.
If you put user input into your database and pull it back out, it's
Kyle Terry wrote:
On Wed, Mar 4, 2009 at 6:55 PM, Chris dmag...@gmail.com wrote:
Eric Butera wrote:
On Wed, Mar 4, 2009 at 8:18 PM, Chris dmag...@gmail.com wrote:
You only need to escape data coming from a user going in to your
database.
If you put user input into your database and pull
Actually no; you said You only need to escape data coming from a user
going in to your database.
Using a known variable in my app is not going to cause an sql injection
problem.
switch ($value) {
case 'x':
$my_field = 1;
break;
default:
$my_field = 0;
}
an insert here with
On Wed, Feb 18, 2009 at 8:34 AM, PJ af.gour...@videotron.ca wrote:
To focus on mysql_real_escape_string, I am recapping... questions below
QUOTE:==
Instead of doing this (for an imaginary table):
$sql = insert into table1(field1, field2) values ('$value1', '$value2');
do
$sql =
On Wed, Feb 18, 2009 at 8:34 AM, PJ af.gour...@videotron.ca wrote:
To focus on mysql_real_escape_string, I am recapping... questions below
QUOTE:==
Instead of doing this (for an imaginary table):
$sql = insert into table1(field1, field2) values ('$value1', '$value2');
do
$sql =
16 matches
Mail list logo