On 10/30/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> [...]
> //Add new customer to database
> function AddNewCustomer($FirstName, $LastName, $Address,
> $City, $State, $ZipCode,
> $AreaCode, $Phone, $Email,
> $WebsiteURL, $LoginName, $Password
> )
> {
> $query = 'INSERT INTO Customer_Info (FirstNameCol,
> LastNameCol, AddressCol, CityCol, StateCol,
> ZipCodeCol, AreaCodeCol, PhoneCol,
> EmailCol, WebsiteURLCol,
> LoginNameCol, PasswordCol
> )
> VALUES ("'. $FirstName . '", "' . $LastName . '",
> "' . $Address . '", "' . $City . '",
> "' . $State . '", "' . $ZipCode . '",
> "' . $AreaCode . '", "' . $Phone . '",
> "' . $Email . '",
> "' . $WebsiteURL . '", "' . $LoginName . '",
> "' . SHA1($Password) . '")';
> }
>
> Feel free to correct my code and give suggestions for better techniques.
>
Hi Paul,
You always need to escape each of the user submitted values in your
SQL, in order to prevent breakage and security vulnerabilities. The
mysql_real_escape_string() function is the recommended way to do this.
function dbEsc( $value ) {
return mysql_real_escape_string( $value );
}
function AddNewCustomer( $FirstName ) {
$query = 'INSERT INTO Customer_Info ( FirstNameCol )
VALUES ("'. dbEsc($FirstName) . '")';
return mysql_query($query);
}
This is one of the two fundamental rules of secure web programming
with php (the other being that you always escape output values using
htmlentities()).
--
Chris Snyder
http://chxo.com/
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
