Reply to Re: $_POST and Building SQL Strings — PHP Programming Language

Posted by Toby A Inkster on 05/04/07 15:30

Geoff Berrow wrote:
> David Gillen wrote:
>
>> You can insert the following snippet
>> foreach($_POST as $key=>$val)
>> {
>> $$key = $val;
>> }
>
> Never trust user supplied data.
> But (for mysql) you could do:
> foreach($_POST as $key=>$val)
> {
> $$key = mysql_real_escape_string($val);
> }

That's no better really. Consider, we'll use $_GET as an example instead
of POST, as it's easier to illustrate, but the same principle applies:

http://example.com/foo.php?_SESSION[is_administrator]=1

or, say you log IP addresses into your database whenever someone edits
data...

http://example.com/foo.php?_SERVER[REMOTE_ADDR]=123.45.67.89

--
Toby A Inkster BSc (Hons) ARCS
http://tobyinkster.co.uk/
Geek of ~ HTML/SQL/Perl/PHP/Python/Apache/Linux

[Back to original message]

Удаленная работа для программистов • Как заработать на Google AdSense • England, UK • статьи на английском • PHP MySQL CMS Apache Oscommerce • Online Business Knowledge Base • DVD MP3 AVI MP4 players codecs conversion help

Home • Search • Site Map • Set as Homepage • Add to Favourites

Сайт изготовлен в Студии Валентина Петручека —
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация