|
|
Posted by Rik on 08/17/07 01:00
On Fri, 17 Aug 2007 02:46:55 +0200, Sanders Kaufman <bucky@kaufman.net> =
=
wrote:
> I have a function that passes a csv string to mysql to use as values:
>
> <?php
> function fnINSERT ($csvValues) {
> $sSQL =3D "INSERT INTO mytable (
> field_a, field_b, field_b, field_c
> ) VALUES {
> $csvValues);
> return mysql_query($sSQL);
> }
>
> //note the SQL Injection attack in the 2nd parameter
> $csvValues =3D "1, "'1' OR ''=3D'"
> $oResult =3D fnINSERT($csvValues);
> ?>
>
> $csvValues is already scrubbed for some business logic, but (obviously=
) =
> it needs to have that mysql_real_escape function run on each of those =
=
> csv values, as well.
>
> For architectural reasons, I can't do the scrubbing before the functio=
n =
> is called, but instead have to do it when it comes to me as this csv =
> SLOB.
Which shouldn't be the case...
> My First Question:
> Can I run the real escape function on $csvValues as a whole, to =
> successfully scrub each parameter - or will I experience undesirable =
> results that way?
If there are strings in it: yes, you'll have undesired results.
> My Second Question:
> I can convert an array to csv pretty easily, but going the other way =
> screws me up (because of quoted commas). So, my "architectural reason=
s" =
> (for this and some other stuff, too) would evaporate if someone could =
=
> help me write a function like this:
>
> function CSVtoArray($sCSV) {
> $aryRetVal =3D array();
> $aryRetVal =3D foo($sCSV);
> return $aryRetVal;
> }
Well, there's one in the making or something: =
<http://nl3.php.net/manual/en/function.str-getcsv.php>, it's not in my P=
HP =
though.
You could define a stream to a variable to get fgetcsv() to work for you=
, =
might be some overkill.
In <http://www.php.net/manual/en/function.split.php> there are some =
efforts to get it right, which one you choose depends on the exact needs=
..
-- =
Rik Wasmus
Navigation:
[Reply to this message]
|