|
|
Posted by Rik on 07/18/06 12:16
Mike wrote:
> I've been looking at this a lot but my head hurts trying to
> understand, even looking at php.net!!
>
> I have a function...
>
> // Quote variable to make safe
> function quote_smart($value)
> {
> // Stripslashes
> if (get_magic_quotes_gpc()) {
> $value = stripslashes($value);
> }
> // Quote if not a number or a numeric string
> if (!is_numeric($value)) {
> $value = "'" . mysql_real_escape_string($value) . "'";
> }
> return $value;
> }
>
> Which I pass all inputs from a user through as it states on php.net,
> it makes it safe.
>
> Now I still don't understand why. If on a registration page where you
> enter say a username I enter AND ' ' = ' ' and then I check the
> database, its stored it exactly like that - AND ' ' = ' '.
That's the whole purpose.
You escape the variable so "AND ' ' = ' '" is stored as a value in a
database, and not run as pasrt of the query.... Validating wether the
username is correct is a whole other thing.
Grtz,
--
Rik Wasmus
Navigation:
[Reply to this message]
|