Re: Editing a string to add a \ before a ' — PHP Programming Language

You are here: Re: Editing a string to add a \ before a ' « PHP Programming Language « IT news, forums, messages

Posted by Andy Hassall on 02/26/06 15:29

On Tue, 7 Feb 2006 23:46:17 -0800, "Jim Michaels" <jmichae3@nospam.yahoo.com>
wrote:

>how about one line with a little more security:
>
> <?php
>$sqli = "INSERT INTO tableA VALUES ('" .
>str_replace(";","",mysql_real_escape_string($_POST['varchar'])) . "'," .
>intval($_POST['integer']) . ")";
>?>

If you're escaping the value correctly with mysql_real_escape_string and have
enclosed that in single quotes, there's no need to remove semicolons. All
you're doing is corrupting data; you're not adding any more security.

--
Andy Hassall :: andy@andyh.co.uk :: http://www.andyh.co.uk
http://www.andyhsoftware.co.uk/space :: disk and FTP usage analysis tool

Navigation:

Next in forum: Re: Confusing session behaviour
Prev in forum: Re: Must set and immediately get $_SESSION variable - help!
Thread view: Re: Editing a string to add a \ before a '

[Reply to this message]

Удаленная работа для программистов • Как заработать на Google AdSense • England, UK • статьи на английском • PHP MySQL CMS Apache Oscommerce • Online Business Knowledge Base • DVD MP3 AVI MP4 players codecs conversion help

Home • Search • Site Map • Set as Homepage • Add to Favourites

Сайт изготовлен в Студии Валентина Петручека —
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация