Reply to Re: Editing a string to add a \ before a '

Your name:

Reply:


Posted by Ivαn Sαnchez Ortega on 02/04/06 21:18

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

noone wrote:

> $sqli = "insert into tableA values ";
> $sqli .= "('".$_POST['varchar']."',".$_POST['integer']")";

PHP security 101: never ever put values posted by a user directly into a DB
query, without checking them, escaping them, and treating them as nuclear
waste.

The above is a very clear example of a SQL injection vulnerability.

- --
- ----------------------------------
IvΓ‘n SΓ‘nchez Ortega -i-punto-sanchez--arroba-mirame-punto-net

http://acm.asoc.fi.upm.es/~mr/
Proudly running Debian Linux with 2.6.12-1-686 kernel, KDE3.5.0, and PHP
5.1.2-1 generating this signature.
Uptime: 20:16:47 up 23:45, 2 users, load average: 0.21, 0.37, 0.26

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFD5P3u3jcQ2mg3Pc8RApygAJsGphJajK7EBcNSs3mgvb6LJ2oEigCfc4Md
8oq3CdWHeuGdAbzmVKbqEtY=
=3ktL
-----END PGP SIGNATURE-----

[Back to original message]
УдалСнная Ρ€Π°Π±ΠΎΡ‚Π° для программистов  •  Как Π·Π°Ρ€Π°Π±ΠΎΡ‚Π°Ρ‚ΡŒ Π½Π° Google AdSense  •  England, UK  •  ΡΡ‚Π°Ρ‚ΡŒΠΈ Π½Π° английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Π‘Π°ΠΉΡ‚ ΠΈΠ·Π³ΠΎΡ‚ΠΎΠ²Π»Π΅Π½ Π² Π‘Ρ‚ΡƒΠ΄ΠΈΠΈ Π’Π°Π»Π΅Π½Ρ‚ΠΈΠ½Π° ΠŸΠ΅Ρ‚Ρ€ΡƒΡ‡Π΅ΠΊΠ°
ΠΈΠ·Π³ΠΎΡ‚ΠΎΠ²Π»Π΅Π½ΠΈΠ΅ ΠΈ ΠΏΠΎΠ΄Π΄Π΅Ρ€ΠΆΠΊΠ° Π²Π΅Π±-сайтов, Ρ€Π°Π·Ρ€Π°Π±ΠΎΡ‚ΠΊΠ° ΠΏΡ€ΠΎΠ³Ρ€Π°ΠΌΠΌΠ½ΠΎΠ³ΠΎ обСспСчСния, поисковая оптимизация