|
|
Posted by Michael Fesser on 08/08/07 17:41
..oO(dkruger)
>Thanks for the tip, I have resolved the problem, but the reason
>mysql_real_escape_string() is not being used, is the query statement
>is generated prior to making a connection to the mysql server, and if
>I understand correctly mysql_real_escape_string has to be run after
>establishing a connection to mysql, which in my situation makes it not
>an option. Since not all of my code is shown previously, there would
>be no way you would have known that was why addslashes was being used
>instead.
addslashes() is _not_ an appropriate way to prevent SQL injection! If
you can't do proper escaping, then your code structure is ... at least
suboptimal (I don't want to call it broken, but it is somewhat). Is
there any particular reason why you can't open a DB connection first?
Usually that's done at the beginning of a script, if there's any DB
operation to be done.
Of course even better would be to use PDO and prepared statements, but
even then you would have to open a connection first, before performing
any action. That's how it should be and how it works.
Another question, just out of curiosity - in your second posting you
wrote:
>Wait, i think I know what the problem is...I just realized it is
>running another query afterward to get the record for the previously
>submitted record, that seems to be the one causing the error.
May I ask how you get the previously inserted record in your second
query? Just want to be sure, because there's a right way and a wrong way
for doing that ...
Micha
Navigation:
[Reply to this message]
|