|
|
Posted by Andrew C on 11/19/06 10:14
"Jerry Stuckle" <jstucklex@attglobal.net> wrote in message
news:GJOdnYFLJMolnsPYnZ2dnUVZ_q-dnZ2d@comcast.com...
> gzerphey wrote:
>> Thank you in advance for helping.
>>
>> I have a bit of a problem with MySQL and PHP working together. More
>> specifically when i use htmlspecialchars() to encode my text then load
>> it into the database, it is interpreting the special characters and
>> decoding them.
>>
>> Is there any way that I can perserve this coding and make sure it says
>> in my database?
>>
>> Example:
>>
>> Here is what is entered -- t%20t
>> Here is what is showing in the database now -- t t
>> here is what I would like to see -- t%20t
>>
>> Thank you again,
>>
>
> htmlspecialchars() is for displaying special characters, not storing them
> in the database. You should be using it to display the data, not place it
> in the database.
>
> What you should do is store the data as is entered (use
> mysql_real_escape_string() to handle any database-specific special
> characters).
(Apologies for thread hijacking...)
I took a look at the PHP documentation for mysql_real_escape_string()
(http://uk.php.net/manual/en/function.mysql-real-escape-string.php) and saw
an example of an 'SQL Injection Attack' (Example 2 on that page) along with
their solution (Example 3).
In their example, wouldn't magic quotes be sufficient to thwart the attack?
In their example, someone supplies $_POST['password'] of "' OR ''='". With
magic quotes on, this would become "\' OR \'\'=\'", correct? When used in
their example query, this would be:
SELECT * FROM users WHERE user='username' AND password='\' OR \'\'=\''
Wouldn't that be okay?
I would be grateful if someone could point out any misunderstandings I have.
Thanks.
A.
Navigation:
[Reply to this message]
|