|
|
Posted by dajava on 03/11/07 04:09
On Mar 7, 6:48 am, Toby A Inkster <usenet200...@tobyinkster.co.uk>
wrote:
> dajava wrote:
> > $query = "INSERT INTO `Dora_Board` (`Title` , `Writer`,
> > `Password`, `Contents`, `Date`, `Ip`) ";
> > $query = $query . "VALUES ('" . (string)$title . "', '" .
> > (string)$writer . "', '" . (string)$password . "', ";
> > $query = $query . "'" . (string)$contents . "', '" . (string)
> > $date . "', '" . (string)$ip . "')";
>
> As I said -- mysql_real_escape_string(). Replace the above with:
>
> $query = sprintf("INSERT INTO Dora_Board (Title, Writer, Password, Contents, Date, Ip)
> VALUES ('%s', '%s', '%s', '%s', '%s', '%s');",
> mysql_real_escape_string($title),
> mysql_real_escape_string($writer),
> mysql_real_escape_string($password),
> mysql_real_escape_string($contents),
> mysql_real_escape_string($date),
> mysql_real_escape_string($ip));
>
> There are several other chunks of code that need rewriting similarly, but
> that should fix the immediate problem.
>
> If you don't fix these problems your site is open to being cracked by
> nasty people. Yes, really.
>
> Google: mysql_real_escape_string.
>
> --
> Toby A Inkster BSc (Hons) ARCS
> Contact Me ~http://tobyinkster.co.uk/contact
> Geek of ~ HTML/SQL/Perl/PHP/Python*/Apache/Linux
>
> * = I'm getting there!
Hi,
I received an e-mail form him a moment ago.
He fixed the ' problem based on your advice.
Two comments of mine:
1.
mysql_real_escape_string is not part of PHP 4.0
Therefore, he did some researches on internet
and found out that it is part of PHP 4.3.
2. He just used your codes,
he doesn't know rational behind mysql_real_escape_string. Lol...
I would like to thank Erwin and Tony for helping my frined.
dajava,
Navigation:
[Reply to this message]
|