|
Posted by Ivαn Sαnchez Ortega on 02/05/06 04:15
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
noone wrote:
>>>$sqli = "insert into tableA values ";
>>>$sqli .= "('".$_POST['varchar']."',".$_POST['integer']")";
>
> goes without saying... merely a test example of how to enclose the
> varchar data with single-quote "'".
That's an example of a SQL injection, you should know that, and you should
teach newbies to use RDBMS-specific techniques of escaping alphanumeric
data prior to its usage in any SQL statement instead of posting such an
example.
This is how it should be done:
<?php
$varchar = mysql_real_escape_string($_POST['varchar']);
$integer = (int) $_POST['integer'];
$sqli = "insert into tableA values ('$varchar',$integer)";
?>
I will reiterate myself. Never ever trust *any* data entered by *any* user.
> You also want to use a platform that is nearly impossible to crack.
Why should I matter about the platform, if anybody can inject SQL??
- --
- ----------------------------------
IvΓ‘n SΓ‘nchez Ortega -i-punto-sanchez--arroba-mirame-punto-net
RealidΓ³metro: [\.......] Hmmm! No debe de funcionar.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFD5V+t3jcQ2mg3Pc8RAhhBAJ47q4fcUY82N6Fz9iigEJqaaQHNiACfVVHo
bKJv8KIXNnXuTjqv3sXXTCc=
=lFc5
-----END PGP SIGNATURE-----
[Back to original message]
|