Reply to Re: [PHP] Different approach?

Your name:

Reply:


Posted by John Taylor-Johnston on 09/30/01 11:11

Thanks! Needed to know that!
:) John

Josh Whiting wrote:

> > $sql = "INSERT INTO $table
> > (StudentNumber,Exercise1,Exercise2) values
> > ('$StudentNumber','$Exercise1','$Exercise2')";
> >
> > mysql_select_db($db,$myconnection);
> > mysql_query($sql) or die(print mysql_error());
> >
>
> your example looks pretty solid, but the code above does not escape the
> $StudentNumber, $Exercise1, and $Exercise2 variables. If any of these
> variables contain data that when placed into the SQL string interferes
> with the SQL itself, you'll have unexpected failures and also a security
> hole if untrusted users can populate those variables. The solution is
> to wrap any strings or untrusted input like that in a call to
> mysql_escape_string(), like so:
>
> $sql = "INSERT INTO $table
> (StudentNumber,Exercise1,Exercise2) values ('".
> mysql_escape_string($StudentNumber)."','".
> mysql_escape_string($Exercise1)."','".
> mysql_escape_string($Exercise2)."')";

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация