|
|
Posted by Dave Kelly on 05/14/07 01:22
Mike P2 wrote:
> On May 13, 7:26 pm, Dave Kelly <daveeke...@earthlink.net> wrote:
>> Mike P2 wrote:
>>> ?>
>>> Let's assume you made $_REQUEST['name'] and $describe11 safe for the
>>> file system.
>>> ?>
>> You should make that
>>
>>> variable safe for the file system before using it, though.
>> To isolate a question. I have searched for make variable safe and this
>> is what I found. Is this what you intended by the above statements?
>>
>> <?php //quote-smart.php
>> // Quote variable to make safe
>> function quote_smart($value) {
>> // Stripslashes
>> if (get_magic_quotes_gpc()) {
>> $value = stripslashes($value);
>> }
>> // Quote if not integer
>> if (!is_numeric($value) || $value[0] == '0') {
>> $value = "'" . mysql_real_escape_string($value) . "'";
>> }
>> return $value;}
>>
>> ?>
>>
>> --
>> A little rum in the morning coffee. Just to clear the cobwebs, ya know.
>
> That function is for making data safe to insert it into the database.
> What I meant was to strip out forward slashes and backslashes, because
> otherwise they could put in a name that would make a file path that's
> not where you want it to be.
>
> If they put a slash in it, PHP might think it means the first part is
> a folder.
>
> -Mike PII
>
Does this not take care of that?
// Stripslashes
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
--
A little rum in the morning coffee. Just to clear the cobwebs, ya know.
Navigation:
[Reply to this message]
|