|
|
Posted by Chung Leong on 11/18/05 07:37
www.douglassdavis.com wrote:
> now, the key is that instead of just adding the $fieldname, $tablename,
> $id to the $format string and passing it to mysql_query, it would be
> passed to the parser as separate strings. The parser should know how
> to handle that format. That way, the parser would always know where
> the different tables names, field names, and other strings start and
> end. So, the problem of injection attacks caused by some one confusing
> the parser by entering things like ' and " is gone.
Well, just write your own function that performs that. I have suggested
the following some time earlier:
function sql() {
$args = func_get_args();
$format = array_shift($args);
for($i = 0, $l = count($args); $i < $l; $i++) {
$args[$i] = mysql_escape_string($args[$i]);
}
return vsprintf($format, $args);
}
$sql = sql("SELECT * FROM CowBrains WHERE fkCow = %d AND name = '%s'",
$id, $name);
If used consistently, dynamic strings in SQL statement will always be
escaped.
[Back to original message]
|