|
Posted by David Gillen on 05/04/07 13:15
Geoff Berrow said:
> Message-ID: <slrnf3m5ig.p4n.Belial@murphy.redbrick.dcu.ie> from David
> Gillen contained the following:
>
>>You can insert the following snippet
>>foreach($_POST as $key=>$val)
>>{
>> $$key = $val;
>>}
>
> Never trust user supplied data.
> But (for mysql) you could do:
> foreach($_POST as $key=>$val)
> {
> $$key = mysql_real_escape_string($val);
> }
The question posed didn't ask about any sort of input validation, hence I
didn't address it. Obviously after the foreach above you should check all the
variables passed are valid. Again though it is easier to work with
validate($var); than validate($_POST['var']); in terms of readability though.
D.
PS: I knew as soon as I'd posted someone would point out the code wasn't
checking the user passed data.
Navigation:
[Reply to this message]
|