|
Posted by Matthew White on 07/18/07 14:11
"Toby A Inkster" <usenet200707@tobyinkster.co.uk> wrote in message
news:j4v0n4-mvu.ln1@ophelia.g5n.co.uk...
> J.O. Aho wrote:
>
>> $query("UPDATE tablename SET column1='{$_REQUEST['column1']}',
>> column2='{$_REQUEST['column2']}', column3='{$_REQUEST['column3']}' WHERE
>> keycolumn='{$_REQUEST['keycolumn']}'";
>
> Argh!
>
> $query = sprintf("UPDATE tablename"
> ." SET column2='%s', column3='%s'"
> ." WHERE column1='%s';"
> ,mysql_real_escape_string($_REQUEST['column2'])
> ,mysql_real_escape_string($_REQUEST['column3'])
> ,mysql_real_escape_string($_REQUEST['column1'])
> );
>
> --
> Toby A Inkster BSc (Hons) ARCS
> [Geek of HTML/SQL/Perl/PHP/Python/Apache/Linux]
> [OS: Linux 2.6.12-12mdksmp, up 27 days, 11:55.]
>
> PHP Linkifier
> http://tobyinkster.co.uk/blog/2007/07/18/linkify/
Be sure to clean your input before you put it into the database, that
certainly could present a problem in the future if someone tries an
Injection attack. As for using the $_REQUEST array, try to use the more
specific $_GET or $_POST arrays, as the ability to send data through two
methods could cause problems if someone tries to maliciously insert data.
Matt
Navigation:
[Reply to this message]
|