Posted by Jim Michaels on 10/12/77 11:39

"Iv�n S�nchez Ortega" <i.punto.sanchez--@rroba--mirame.punto.net> wrote in
message news:hn3gb3-npg.ln1@blackspark.escomposlinux.org...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> noone wrote:
>
>>>>$sqli = "insert into tableA values ";
>>>>$sqli .= "('".$_POST['varchar']."',".$_POST['integer']")";
>>
>> goes without saying... merely a test example of how to enclose the
>> varchar data with single-quote "'".
>
> That's an example of a SQL injection, you should know that, and you should
> teach newbies to use RDBMS-specific techniques of escaping alphanumeric
> data prior to its usage in any SQL statement instead of posting such an
> example.
>
> This is how it should be done:
>

how about one line with a little more security:

<?php
$sqli = "INSERT INTO tableA VALUES ('" .
str_replace(";","",mysql_real_escape_string($_POST['varchar'])) . "'," .
intval($_POST['integer']) . ")";
?>


>
> I will reiterate myself. Never ever trust *any* data entered by *any*
> user.
>
>> You also want to use a platform that is nearly impossible to crack.
>
> Why should I matter about the platform, if anybody can inject SQL??
>
> - --
> - ----------------------------------
> Iv�n S�nchez Ortega -i-punto-sanchez--arroba-mirame-punto-net
>
> Realid�metro: [\.......] Hmmm! No debe de funcionar.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (GNU/Linux)
>
> iD8DBQFD5V+t3jcQ2mg3Pc8RAhhBAJ47q4fcUY82N6Fz9iigEJqaaQHNiACfVVHo
> bKJv8KIXNnXuTjqv3sXXTCc=
> =lFc5
> -----END PGP SIGNATURE-----

• Next in forum: PHP Shopping mall scripts
• Prev in forum: Re: Newbie help with xml_parsed array
• Thread view: Re: Editing a string to add a \ before a '

[Reply to this message]