|
Posted by Josh Whiting on 10/16/38 11:11
On Thu, Mar 17, 2005 at 11:01:44AM -0500, John Taylor-Johnston wrote:
> Hi,
>
> I've read:
>
> > http://dev.mysql.com/doc/mysql/en/create-table.html
>
> Would anyone code/approach this differently?
[...]
> $sql = "INSERT INTO $table
> (StudentNumber,Exercise1,Exercise2) values
> ('$StudentNumber','$Exercise1','$Exercise2')";
>
> mysql_select_db($db,$myconnection);
> mysql_query($sql) or die(print mysql_error());
>
your example looks pretty solid, but the code above does not escape the
$StudentNumber, $Exercise1, and $Exercise2 variables. If any of these
variables contain data that when placed into the SQL string interferes
with the SQL itself, you'll have unexpected failures and also a security
hole if untrusted users can populate those variables. The solution is
to wrap any strings or untrusted input like that in a call to
mysql_escape_string(), like so:
$sql = "INSERT INTO $table
(StudentNumber,Exercise1,Exercise2) values ('".
mysql_escape_string($StudentNumber)."','".
mysql_escape_string($Exercise1)."','".
mysql_escape_string($Exercise2)."')";
-jw
[Back to original message]
|