|
|
Posted by Mike P2 on 05/13/07 23:38
On May 13, 7:26 pm, Dave Kelly <daveeke...@earthlink.net> wrote:
> Mike P2 wrote:
> > ?>
>
> > Let's assume you made $_REQUEST['name'] and $describe11 safe for the
> > file system.
> > ?>
>
> You should make that
>
> > variable safe for the file system before using it, though.
>
> To isolate a question. I have searched for make variable safe and this
> is what I found. Is this what you intended by the above statements?
>
> <?php //quote-smart.php
> // Quote variable to make safe
> function quote_smart($value) {
> // Stripslashes
> if (get_magic_quotes_gpc()) {
> $value = stripslashes($value);
> }
> // Quote if not integer
> if (!is_numeric($value) || $value[0] == '0') {
> $value = "'" . mysql_real_escape_string($value) . "'";
> }
> return $value;}
>
> ?>
>
> --
> A little rum in the morning coffee. Just to clear the cobwebs, ya know.
That function is for making data safe to insert it into the database.
What I meant was to strip out forward slashes and backslashes, because
otherwise they could put in a name that would make a file path that's
not where you want it to be.
If they put a slash in it, PHP might think it means the first part is
a folder.
-Mike PII
[Back to original message]
|