Posted by Toby A Inkster on 05/04/07 15:30

Geoff Berrow wrote:
> David Gillen wrote:
>
>> You can insert the following snippet
>> foreach($_POST as $key=>$val)
>> {
>> $$key = $val;
>> }
>
> Never trust user supplied data.
> But (for mysql) you could do:
> foreach($_POST as $key=>$val)
> {
> $$key = mysql_real_escape_string($val);
> }

That's no better really. Consider, we'll use $_GET as an example instead
of POST, as it's easier to illustrate, but the same principle applies:

http://example.com/foo.php?_SESSION[is_administrator]=1

or, say you log IP addresses into your database whenever someone edits
data...

http://example.com/foo.php?_SERVER[REMOTE_ADDR]=123.45.67.89

--
Toby A Inkster BSc (Hons) ARCS
http://tobyinkster.co.uk/
Geek of ~ HTML/SQL/Perl/PHP/Python/Apache/Linux

• Next in forum: Re: $_POST and Building SQL Strings
• Prev in forum: Re: help with posting conditional if statement
• Thread view: Re: $_POST and Building SQL Strings

[Reply to this message]