Posted by Steve on 11/14/06 17:55

"Christoph Burschka" <christoph.burschka@rwth-aachen.de> wrote in message
news:4rtdltFsphjiU1@mid.dfncis.de...
| Michael Fesser schrieb:
| > .oO(kenoli)
| >
| >
| >>So, suppose I wanted to derive something like:
| >>
| >>WHERE $key1=$value1 AND $key2=$value2 . . .
| >>
| >
| >>from my $_POST?
| >
| >>How would I construct that?
| >
| >
| > You should start with thinking about SQL injection. Using user-submitted
| > values in a database query without any validation is dangerous.
| >
| > Micha
|
| Indeed, SQL injection is a pretty big risk if you don't know about it,
| but it's very easy to prevent.
|
| Until you take the time to write a good validation function, the
| following two things should be safe enough:
| - Removing single ' quotes from the values

sure, if you want to piss off or otherwise confuse users...by all means,
make assumptions about what they want to store! the correct answer here is
to ENCAPSULATE single quotes, NOT to remove them outright!!!

• Next in forum: Which CMS content management system (or DMS) is best for my needs ?
• Prev in forum: Re: A query from $_POST using foreach
• Thread view: Re: A query from $_POST using foreach

[Reply to this message]