You are here: Re: [PHP] Different approach? « PHP « IT news, forums, messages
Re: [PHP] Different approach?

Posted by Josh Whiting on 10/21/38 11:11

On Thu, Mar 17, 2005 at 11:01:44AM -0500, John Taylor-Johnston wrote:
> Hi,
>
> I've read:
>
> > http://dev.mysql.com/doc/mysql/en/create-table.html
>
> Would anyone code/approach this differently?
[...]
> $sql = "INSERT INTO $table
> (StudentNumber,Exercise1,Exercise2) values
> ('$StudentNumber','$Exercise1','$Exercise2')";
>
> mysql_select_db($db,$myconnection);
> mysql_query($sql) or die(print mysql_error());
>

your example looks pretty solid, but the code above does not escape the
$StudentNumber, $Exercise1, and $Exercise2 variables. If any of these
variables contain data that when placed into the SQL string interferes
with the SQL itself, you'll have unexpected failures and also a security
hole if untrusted users can populate those variables. The solution is
to wrap any strings or untrusted input like that in a call to
mysql_escape_string(), like so:

$sql = "INSERT INTO $table
(StudentNumber,Exercise1,Exercise2) values ('".
mysql_escape_string($StudentNumber)."','".
mysql_escape_string($Exercise1)."','".
mysql_escape_string($Exercise2)."')";

-jw

 

Navigation:

[Reply to this message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация