|
|
Posted by Sanders Kaufman on 08/17/07 00:46
I have a function that passes a csv string to mysql to use as values:
<?php
function fnINSERT ($csvValues) {
$sSQL = "INSERT INTO mytable (
field_a, field_b, field_b, field_c
) VALUES {
$csvValues);
return mysql_query($sSQL);
}
//note the SQL Injection attack in the 2nd parameter
$csvValues = "1, "'1' OR ''='"
$oResult = fnINSERT($csvValues);
?>
$csvValues is already scrubbed for some business logic, but (obviously)
it needs to have that mysql_real_escape function run on each of those
csv values, as well.
For architectural reasons, I can't do the scrubbing before the function
is called, but instead have to do it when it comes to me as this csv SLOB.
My First Question:
Can I run the real escape function on $csvValues as a whole, to
successfully scrub each parameter - or will I experience undesirable
results that way?
My Second Question:
I can convert an array to csv pretty easily, but going the other way
screws me up (because of quoted commas). So, my "architectural reasons"
(for this and some other stuff, too) would evaporate if someone could
help me write a function like this:
function CSVtoArray($sCSV) {
$aryRetVal = array();
$aryRetVal = foo($sCSV);
return $aryRetVal;
}
Navigation:
[Reply to this message]
|