|
|
Posted by John Taylor-Johnston on 10/06/01 11:11
Thanks! Needed to know that!
:) John
Josh Whiting wrote:
> > $sql = "INSERT INTO $table
> > (StudentNumber,Exercise1,Exercise2) values
> > ('$StudentNumber','$Exercise1','$Exercise2')";
> >
> > mysql_select_db($db,$myconnection);
> > mysql_query($sql) or die(print mysql_error());
> >
>
> your example looks pretty solid, but the code above does not escape the
> $StudentNumber, $Exercise1, and $Exercise2 variables. If any of these
> variables contain data that when placed into the SQL string interferes
> with the SQL itself, you'll have unexpected failures and also a security
> hole if untrusted users can populate those variables. The solution is
> to wrap any strings or untrusted input like that in a call to
> mysql_escape_string(), like so:
>
> $sql = "INSERT INTO $table
> (StudentNumber,Exercise1,Exercise2) values ('".
> mysql_escape_string($StudentNumber)."','".
> mysql_escape_string($Exercise1)."','".
> mysql_escape_string($Exercise2)."')";
Navigation:
[Reply to this message]
|