Reply to Re: Inserting NULL Integer Values

Your name:

Reply:


Posted by Oliver Grδtz on 10/19/05 04:45

Shaun schrieb:
> $qid = mysql_query('INSERT INTO MYTABLE (
> column1,
> column2,
> ) VALUES (
> "'.$value1.'",
> "'.$value2.'"
> )');

A bit off-topic but important: Always make sure that you check the
contents of $value1 and $value2 before putting them into the query!
With

$value1 = 'xyz","xyz"); DELETE FROM MYTABLE;';

you might get surprising results!

This is called SQL injection and it's important to escape all the values
before putting them into the statement.

An even better solution are prepared statements! With PDO (available as
an extension for PHP 5.x) these are natively supported. You prepare the
statements without any of the values and call them with the values. The
engine automatically escapes your data.

OLLi
____________
Bug? That's not a bug, that's a feature.
[T. John Wendel]

[Back to original message]


УдалСнная Ρ€Π°Π±ΠΎΡ‚Π° для программистов  •  Как Π·Π°Ρ€Π°Π±ΠΎΡ‚Π°Ρ‚ΡŒ Π½Π° Google AdSense  •  England, UK  •  ΡΡ‚Π°Ρ‚ΡŒΠΈ Π½Π° английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Π‘Π°ΠΉΡ‚ ΠΈΠ·Π³ΠΎΡ‚ΠΎΠ²Π»Π΅Π½ Π² Π‘Ρ‚ΡƒΠ΄ΠΈΠΈ Π’Π°Π»Π΅Π½Ρ‚ΠΈΠ½Π° ΠŸΠ΅Ρ‚Ρ€ΡƒΡ‡Π΅ΠΊΠ°
ΠΈΠ·Π³ΠΎΡ‚ΠΎΠ²Π»Π΅Π½ΠΈΠ΅ ΠΈ ΠΏΠΎΠ΄Π΄Π΅Ρ€ΠΆΠΊΠ° Π²Π΅Π±-сайтов, Ρ€Π°Π·Ρ€Π°Π±ΠΎΡ‚ΠΊΠ° ΠΏΡ€ΠΎΠ³Ρ€Π°ΠΌΠΌΠ½ΠΎΠ³ΠΎ обСспСчСния, поисковая оптимизация