Posted by Rik on 03/09/07 17:01

shimmyshack <matt.farey@gmail.com> wrote:
> also try not to get hacked:
> make life easy on yourself, escape all values that go into the
> database, to avoid SQL injection.
>
> EVERY VALUE SHOULD HAVE CORRECT TYPE
> $name[1] -> string
> $filesize -> int?
> $height -> int?
> $p -> string
>
> EVERY STRING (or even int) NEEDS TO BE ESCAPED USING
> mysql_real_escape() or better mysql_real_escape_string(
>
>
> $insertSQL =3D sprintf(
> "INSERT INTO `images3` " .
> "(`name`, `folder`, `type`, `filesize`, `orig_width`, " .
> "`orig_height`, `resize_width`, `resize_height`, `p`)" .
> "VALUES( '%s', '%s', '%s', '%d', '%d', '%d' , '%d', '%d', '%s')",
> mysql_real_escape_string($name[1]),
> mysql_real_escape_string($path),
> mysql_real_escape_string($filetype),
> mysql_real_escape_string($filesize),
> mysql_real_escape_string($width),
> mysql_real_escape_string($height),
> mysql_real_escape_string($n_width[0]),
> mysql_real_escape_string($n_width[1]),
> mysql_real_escape_string($p)
> );
>
> this gets boring, so why not have your vars in an array and use
> array_walk to escape the values

Indeed, something I like to do when the variables are set up, really kee=
ps =

it managable.

Also an option with MDB2 prepared statment.

$db =3D new MDB2();
$db->connect('mysqli://user:pass@host/database');
$db->loadModule('Exended', null, false);
$inserts =3D array();
$stmt =3D $db->prepare(
'INSERT INTO `table` (`field`,`foo`,`bar`) VALUES (:field,:foo,:bar)',
array('text','text','integer'),
MDB2_PREPARE_MANIP);
foreach($something as $item){
//some code
$inserts[] =3D compact($bar,$foo,$field);
}
$db->extended->executeMultiple($stmt,$inserts);

-- =

Rik Wasmus
Posted on Usenet, not any forum you might see this in.
Ask Smart Questions: http://tinyurl.com/anel

[Back to original message]