Reply to Re: Updating MySQL with PHP

Your name:

Reply:


Posted by Matthew White on 07/18/07 14:11

"Toby A Inkster" <usenet200707@tobyinkster.co.uk> wrote in message
news:j4v0n4-mvu.ln1@ophelia.g5n.co.uk...
> J.O. Aho wrote:
>
>> $query("UPDATE tablename SET column1='{$_REQUEST['column1']}',
>> column2='{$_REQUEST['column2']}', column3='{$_REQUEST['column3']}' WHERE
>> keycolumn='{$_REQUEST['keycolumn']}'";
>
> Argh!
>
> $query = sprintf("UPDATE tablename"
> ." SET column2='%s', column3='%s'"
> ." WHERE column1='%s';"
> ,mysql_real_escape_string($_REQUEST['column2'])
> ,mysql_real_escape_string($_REQUEST['column3'])
> ,mysql_real_escape_string($_REQUEST['column1'])
> );
>
> --
> Toby A Inkster BSc (Hons) ARCS
> [Geek of HTML/SQL/Perl/PHP/Python/Apache/Linux]
> [OS: Linux 2.6.12-12mdksmp, up 27 days, 11:55.]
>
> PHP Linkifier
> http://tobyinkster.co.uk/blog/2007/07/18/linkify/

Be sure to clean your input before you put it into the database, that
certainly could present a problem in the future if someone tries an
Injection attack. As for using the $_REQUEST array, try to use the more
specific $_GET or $_POST arrays, as the ability to send data through two
methods could cause problems if someone tries to maliciously insert data.

Matt

[Back to original message]
Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация