Posted by Mike on 07/18/06 07:36
I've been looking at this a lot but my head hurts trying to understand,
even looking at php.net!!
I have a function...
// Quote variable to make safe
function quote_smart($value)
{
// Stripslashes
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
// Quote if not a number or a numeric string
if (!is_numeric($value)) {
$value = "'" . mysql_real_escape_string($value) . "'";
}
return $value;
}
Which I pass all inputs from a user through as it states on php.net, it
makes it safe.
Now I still don't understand why. If on a registration page where you
enter say a username I enter AND ' ' = ' ' and then I check the
database, its stored it exactly like that - AND ' ' = ' '.
Maybe I'm looking at it wrong. What is this function ment to do and
how does it stop db injection?
Many Thanks
Mike
Navigation:
[Reply to this message]
|