Posted by Josh Whiting on 10/05/38 11:11

On Thu, Mar 17, 2005 at 11:01:44AM -0500, John Taylor-Johnston wrote:
> Hi,
>
> I've read:
>
> > http://dev.mysql.com/doc/mysql/en/create-table.html
>
> Would anyone code/approach this differently?
[...]
> $sql = "INSERT INTO $table
> (StudentNumber,Exercise1,Exercise2) values
> ('$StudentNumber','$Exercise1','$Exercise2')";
>
> mysql_select_db($db,$myconnection);
> mysql_query($sql) or die(print mysql_error());
>

your example looks pretty solid, but the code above does not escape the
$StudentNumber, $Exercise1, and $Exercise2 variables. If any of these
variables contain data that when placed into the SQL string interferes
with the SQL itself, you'll have unexpected failures and also a security
hole if untrusted users can populate those variables. The solution is
to wrap any strings or untrusted input like that in a call to
mysql_escape_string(), like so:

$sql = "INSERT INTO $table
(StudentNumber,Exercise1,Exercise2) values ('".
mysql_escape_string($StudentNumber)."','".
mysql_escape_string($Exercise1)."','".
mysql_escape_string($Exercise2)."')";

-jw

• Next in thread: Re: [PHP] Different approach?
• Prev in thread: Re: [PHP] Re: Different approach?
• Next in forum: Re: [PHP] Authorization header is missing from apache_request_headers() array
• Prev in forum: access violation
• Thread view: Different approach?

[Reply to this message]