Posted by Michael Fesser on 01/16/07 19:14

..oO(plemon)

>so you are saying i should have magic quotes turned on?

No, magic quotes are dead. Turn them off and forget about them.
Thankfully they'll be completely removed in PHP 6.

>im reading up
>more on sql injection at the moment still don't understand it at all.

Never(!) trust any data sent in from a client. URL parameters, POST
data, cookies - everything can easily be faked. This not only applies to
databases, but to everything on a server that deals with user-submitted
data. Validate everything and escape it if necessary!

In the case of DBs you have to make sure that _all_ data that goes into
a DB is properly escaped, so that it's not possible for an attacker to
inject his own SQL commands to wreak havoc on your DB.

In PHP there are two more or less ways to do that:

1) Use DB-specific escaping functions, like mysql_real_escape_string()
for example.

2) Use prepared statements as provided by the PDO extension.

Micha

• Next in forum: Re: PHP with Excel
• Prev in forum: Re: Line breaks (\n) from a html form textarea??? HELP!
• Thread view: Re: the script wont work and i cant find anything wrong please help

[Reply to this message]