|
|
Posted by Lars Eighner on 10/09/07 03:45
In our last episode, <1191888365.432460.71220@22g2000hsm.googlegroups.com>,
the lovely and talented ashore broadcast on comp.lang.php:
> Guys, I'm adapting the ..._deep() approach to apply it to $_GET and/
> or $_POST arrays as follows, as a lazy way to cleanup input before
> posting it to the database - to prevent SQL injections.
> function quote_smart_deep($value) { // recursive array-capable
> version of quote_smart
> $value = is_array($value) ? array_map('quote_smart_deep',
> $value) : quote_smart($value);
> return $value;
> }
> Anyone see any reason for this not to work? Thanks, all.
It depends upon what function quote_smart() is. There is a function defined
in an example in the manual called quote_smart(). It will not work unless
you have an open link to a database because it uses
mysql_real_escape_string(). Although the second parameter of
mysql_real_escape_string() will default to the last link opened by
mysql_connect(), if that link does not exist, mysql_real_escape_string()
will fail (and so will any function using it such as the quote_smart()
defined in the example or any similar function you might devise that uses
mysql_real_escape_string()).
If you copy quote_smart() from the example or write your own version using
mysql_real_escape_string(), it is best to invoke it as you compose your
query string after you have established your database connection.
--
Lars Eighner <http://larseighner.com/> <http://myspace.com/larseighner>
Countdown: 469 days to go.
What do you do when you're debranded?
Navigation:
[Reply to this message]
|