I ran a test (just added a SQL command, harmless one in a text field) to see what happens on SQL injection, without proper slashing or escaping (addslashes/mysql_real_escape_string). I like mysql_real... cause it takes the guess work out of making the data safe. Thanks everyone for the brief lesson on the dangers of this (now I get to go back to all my INSERT/UPDATE queries and add this functionality, better safe than sorry).
Anthony Wlodarski Senior Technical Recruiter Shulman Fleming & Partners 646-285-0500 x230 [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Sgro (ProjectSkyLine) Sent: Tuesday, August 14, 2007 9:15 PM To: NYPHP Talk Subject: Re: [nyphp-talk] Is there something wrong with this SQL query in PHP? heh, Yeah I guess. They weren't validating the users input. = ] - Ben Ben Sgro, Chief Engineer ProjectSkyLine - Defining New Horizons ----- Original Message ----- From: "John Campbell" <[EMAIL PROTECTED]> To: "NYPHP Talk" <talk@lists.nyphp.org> Sent: Tuesday, August 14, 2007 8:31 PM Subject: Re: [nyphp-talk] Is there something wrong with this SQL query in PHP? >> They had the exact same problems w/XSS, no input validation. > > Input validation? Don't you mean output escaping? You must not allow > uber leet usernames like |<33|>. :) > > -john cambpell > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
