Reply to Re: help : apostrophe/single quotation mark — PHP Programming Language

Posted by Toby A Inkster on 03/06/07 21:48

dajava wrote:

> $query = "INSERT INTO `Dora_Board` (`Title` , `Writer`,
> `Password`, `Contents`, `Date`, `Ip`) ";
> $query = $query . "VALUES ('" . (string)$title . "', '" .
> (string)$writer . "', '" . (string)$password . "', ";
> $query = $query . "'" . (string)$contents . "', '" . (string)
> $date . "', '" . (string)$ip . "')";

As I said -- mysql_real_escape_string(). Replace the above with:

$query = sprintf("INSERT INTO Dora_Board (Title, Writer, Password, Contents, Date, Ip)
VALUES ('%s', '%s', '%s', '%s', '%s', '%s');",
mysql_real_escape_string($title),
mysql_real_escape_string($writer),
mysql_real_escape_string($password),
mysql_real_escape_string($contents),
mysql_real_escape_string($date),
mysql_real_escape_string($ip));

There are several other chunks of code that need rewriting similarly, but
that should fix the immediate problem.

If you don't fix these problems your site is open to being cracked by
nasty people. Yes, really.

Google: mysql_real_escape_string.

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
Geek of ~ HTML/SQL/Perl/PHP/Python*/Apache/Linux

* = I'm getting there!

[Back to original message]

Удаленная работа для программистов • Как заработать на Google AdSense • England, UK • статьи на английском • PHP MySQL CMS Apache Oscommerce • Online Business Knowledge Base • DVD MP3 AVI MP4 players codecs conversion help

Home • Search • Site Map • Set as Homepage • Add to Favourites

Сайт изготовлен в Студии Валентина Петручека —
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация