|
|
Posted by Jerry Stuckle on 05/04/07 01:58
Iván Sánchez Ortega wrote:
> john wrote:
>
>> However, pulling out each variable from the $_POST array seems
>> awkward.
>
> Unless you program a framework just for that, it's the way to go.
>
>> The problem with constructing a string comes in due to the fact that
>> you often need to quote strings in the SQL statement
>
> You *always* have to quote strings in SQL.
>
>> , e.g, $sql = "insert...values('$_POST['email']..)" There doesn't seems to
>> be a combination of single and double quotes that work.
>
> Re-read the PHP manual, chapter on string expansion: whenever you put an
> array element inside a double-quoted string, you must enclose it with curly
> braces.
>
>> Is there a standard way people tend to build SQL strings from $_POST
>> (or $_GET) data in PHP?
>
> Yes: *always* escape the variables (or at least, check them):
>
> $email = mysql_real_escape_string($_POST['email']);
> $name = mysql_real_escape_string($_POST['name']);
> $age = (int) $_POST['age'];
>
> $sql = "insert into foobar values ('$name','$email',$age)";
>
>
> Do this, and you'll never worry about SQL injections.
>
And in addition, you need to validate the data before you put it into
the database. Ensure, for instance, that your numeric values are indeed
numeric.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|