Hi, Chris!
Thanks for a great advice--and I will do just that.
Paul
====================
Chris Snyder wrote:
Hi Paul,
You always need to escape each of the user submitted values in your
SQL, in order to prevent breakage and security vulnerabilities. The
mysql_real_escape_string() function is the recommended way to do this.
function dbEsc( $value ) {
return mysql_real_escape_string( $value );
}
function AddNewCustomer( $FirstName ) {
$query = 'INSERT INTO Customer_Info ( FirstNameCol )
VALUES ("'. dbEsc($FirstName) . '")';
return mysql_query($query);
}
This is one of the two fundamental rules of secure web programming
with php (the other being that you always escape output values using
htmlentities()).
--
Chris Snyder
_______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
