You are here: Re: Editing a string to add a \ before a ' « PHP Programming Language « IT news, forums, messages
Re: Editing a string to add a \ before a '

Posted by Jim Michaels on 10/31/77 11:39

"Iv�n S�nchez Ortega" <i.punto.sanchez--@rroba--mirame.punto.net> wrote in
message news:hn3gb3-npg.ln1@blackspark.escomposlinux.org...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> noone wrote:
>
>>>>$sqli = "insert into tableA values ";
>>>>$sqli .= "('".$_POST['varchar']."',".$_POST['integer']")";
>>
>> goes without saying... merely a test example of how to enclose the
>> varchar data with single-quote "'".
>
> That's an example of a SQL injection, you should know that, and you should
> teach newbies to use RDBMS-specific techniques of escaping alphanumeric
> data prior to its usage in any SQL statement instead of posting such an
> example.
>
> This is how it should be done:
>

how about one line with a little more security:

<?php
$sqli = "INSERT INTO tableA VALUES ('" .
str_replace(";","",mysql_real_escape_string($_POST['varchar'])) . "'," .
intval($_POST['integer']) . ")";
?>


>
> I will reiterate myself. Never ever trust *any* data entered by *any*
> user.
>
>> You also want to use a platform that is nearly impossible to crack.
>
> Why should I matter about the platform, if anybody can inject SQL??
>
> - --
> - ----------------------------------
> Iv�n S�nchez Ortega -i-punto-sanchez--arroba-mirame-punto-net
>
> Realid�metro: [\.......] Hmmm! No debe de funcionar.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (GNU/Linux)
>
> iD8DBQFD5V+t3jcQ2mg3Pc8RAhhBAJ47q4fcUY82N6Fz9iigEJqaaQHNiACfVVHo
> bKJv8KIXNnXuTjqv3sXXTCc=
> =lFc5
> -----END PGP SIGNATURE-----

 

Navigation:

[Reply to this message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация