You are here: Re: How to get data into MySQL with PHP? « PHP Programming Language « IT news, forums, messages
Re: How to get data into MySQL with PHP?

Posted by Kim Andrι Akerψ on 10/08/51 11:33

John Oliver wrote:

> I know absolutely nothing about this. I've been banging around
> various tutorials. Most just sort of skip over this. The closest I
> came is:
>
> http://www.freewebmasterhelp.com/tutorials/phpmysql/4
>
> However, their example:
>
> $query = "INSERT INTO contacts VALUES
> ('','$first','$last','$phone','$mobile','$fax','$email','$web')";
>
> doesn't work, and got me a "Learn how to use SQL Injection" comment.
>
> I need a tutorial that explains this stuff. I don't have the vaguest
> clue what I'm doing, and when the tutorial assumes any pre-existing
> knowledge, I get left behind pretty quickly.

The reason for the "Learn how to use SQL Injection" comments are
justified. If your server hosting has the magic_quotes_gpc setting in
PHP switched off, in addition to having register_globals switched on,
you'll be in trouble with the method above. Then I can delete your
entire address book by entering the following into one of the fields:

'); DELETE FROM contacts;

A better method would be something in the direction of the following:

<?php
// remove slashes for magic_quotes_gpc and injection attacks
$first = stripslashes($_REQUEST["first"]);
$last = stripslashes($_REQUEST["last"]);
$phone = stripslashes($_REQUEST["phone"]);
$mobile = stripslashes($_REQUEST["mobile"]);
$fax = stripslashes($_REQUEST["fax"]);
$email = stripslashes($_REQUEST["email"]);
$web = stripslashes($_REQUEST["web"]);

// the following code is all on one line
$query = "INSERT INTO contacts VALUES
'','".mysql_real_escape_string($first)."','".mysql_real_escape_string($l
ast)."','".mysql_real_escape_string($phone)."','".mysql_real_escape_stri
ng($mobile)."','".mysql_real_escape_string($fax)."','".mysql_real_escape
_string($email)."','".mysql_real_escape_string($web)."')";

// execute the MySQL statement
mysql_query($query);
?>

At least you'll be safer than using your original code. I know, it's a
lot more code, but it's also more secure.

Unfortunately, many tutorials out there teach the absolute simplest
way, which also teache the less secure methods.

--
Kim AndrΓ© AkerΓΈ
- kimandre@NOSPAMbetadome.com
(remove NOSPAM to contact me directly)

 

Navigation:

[Reply to this message]
УдалСнная Ρ€Π°Π±ΠΎΡ‚Π° для программистов  •  Как Π·Π°Ρ€Π°Π±ΠΎΡ‚Π°Ρ‚ΡŒ Π½Π° Google AdSense  •  England, UK  •  ΡΡ‚Π°Ρ‚ΡŒΠΈ Π½Π° английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Π‘Π°ΠΉΡ‚ ΠΈΠ·Π³ΠΎΡ‚ΠΎΠ²Π»Π΅Π½ Π² Π‘Ρ‚ΡƒΠ΄ΠΈΠΈ Π’Π°Π»Π΅Π½Ρ‚ΠΈΠ½Π° ΠŸΠ΅Ρ‚Ρ€ΡƒΡ‡Π΅ΠΊΠ°
ΠΈΠ·Π³ΠΎΡ‚ΠΎΠ²Π»Π΅Π½ΠΈΠ΅ ΠΈ ΠΏΠΎΠ΄Π΄Π΅Ρ€ΠΆΠΊΠ° Π²Π΅Π±-сайтов, Ρ€Π°Π·Ρ€Π°Π±ΠΎΡ‚ΠΊΠ° ΠΏΡ€ΠΎΠ³Ρ€Π°ΠΌΠΌΠ½ΠΎΠ³ΠΎ обСспСчСния, поисковая оптимизация