I thought I was pretty clear, that query was an example of what many newbies
do, not what I would do (... so they don't blow their brains out with things
like ...) exposing a vulnerability and almost certainly exposing themselves
to copy-paste repetition. It certainly wasn't shorthand, and I've seen it a
thousand times.
On Fri, Apr 25, 2008 at 8:49 AM, Daniel Convissor <
[EMAIL PROTECTED]> wrote:
> On Thu, Apr 24, 2008 at 07:34:50PM -0400, Austin Smith wrote:
>
> > Further, I've long wanted to write a very simple set of flexible helper
> > functions for PHP newbies so they don't blow their brains out with things
> > like mysql_query("insert into blog_entries values(0, "{$_POST['title']}",
> > "{$_POST['body']}");
>
> Fortunately, you haven't done so yet and thereby introduce the world to
> another SQL Injection attack and path disclosure vulnerability. :) You
> have to escape input into the query and ensure $_POST variables actually
> exist before using them to avoid PHP notices.
>
> Of course, you can say you were just posting short hand. But you were
> being pretty specific in your example.
>
> --Dan
>
> --
> T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y
> data intensive web and database programming
> http://www.AnalysisAndSolutions.com/
> 4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
