Reply to Re: Editing a string to add a \ before a '

Your name:

Reply:


Posted by Jim Michaels on 02/23/06 09:30

"Jim Michaels" <jmichae3@nospam.yahoo.com> wrote in message
news:I66dnW_XP7dWPHTenZ2dnUVZ_t-dnZ2d@comcast.com...
>
> "Ivαn Sαnchez Ortega" <i.punto.sanchez--@rroba--mirame.punto.net> wrote in
> message news:hn3gb3-npg.ln1@blackspark.escomposlinux.org...
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> noone wrote:
>>
>>>>>$sqli = "insert into tableA values ";
>>>>>$sqli .= "('".$_POST['varchar']."',".$_POST['integer']")";
>>>
>>> goes without saying... merely a test example of how to enclose the
>>> varchar data with single-quote "'".
>>
>> That's an example of a SQL injection, you should know that, and you
>> should
>> teach newbies to use RDBMS-specific techniques of escaping alphanumeric
>> data prior to its usage in any SQL statement instead of posting such an
>> example.
>>
>> This is how it should be done:
>>
>
> how about one line with a little more security:
>
<?php
$sqli = "INSERT INTO tableA VALUES ('" .
str_replace(";","",mysql_real_escape_string($_POST['varchar'])) . "'," .
intval($_POST['integer']) . ")";
?>

OOPS! got the functions order-swapped. should strip semicolons out first.
otherwise, generated html named entities will be all messed up.
it would be even better to do a preg_match("/;/",$_POST'varchar']) to search
for injection attempts and lockout the user.
<?php
$sqli = "INSERT INTO tableA VALUES ('" .
mysql_real_escape_string(str_replace(";","",$_POST['varchar'])) . "'," .
intval($_POST['integer']) . ")";
?>


>
>
>>
>> I will reiterate myself. Never ever trust *any* data entered by *any*
>> user.
>>
>>> You also want to use a platform that is nearly impossible to crack.
>>
>> Why should I matter about the platform, if anybody can inject SQL??
>>
>> - --
>> - ----------------------------------
>> Ivαn Sαnchez Ortega -i-punto-sanchez--arroba-mirame-punto-net
>>
>> Realidσmetro: [\.......] Hmmm! No debe de funcionar.
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.2 (GNU/Linux)
>>
>> iD8DBQFD5V+t3jcQ2mg3Pc8RAhhBAJ47q4fcUY82N6Fz9iigEJqaaQHNiACfVVHo
>> bKJv8KIXNnXuTjqv3sXXTCc=
>> =lFc5
>> -----END PGP SIGNATURE-----
>
>

[Back to original message]
УдалСнная Ρ€Π°Π±ΠΎΡ‚Π° для программистов  •  Как Π·Π°Ρ€Π°Π±ΠΎΡ‚Π°Ρ‚ΡŒ Π½Π° Google AdSense  •  England, UK  •  ΡΡ‚Π°Ρ‚ΡŒΠΈ Π½Π° английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Π‘Π°ΠΉΡ‚ ΠΈΠ·Π³ΠΎΡ‚ΠΎΠ²Π»Π΅Π½ Π² Π‘Ρ‚ΡƒΠ΄ΠΈΠΈ Π’Π°Π»Π΅Π½Ρ‚ΠΈΠ½Π° ΠŸΠ΅Ρ‚Ρ€ΡƒΡ‡Π΅ΠΊΠ°
ΠΈΠ·Π³ΠΎΡ‚ΠΎΠ²Π»Π΅Π½ΠΈΠ΅ ΠΈ ΠΏΠΎΠ΄Π΄Π΅Ρ€ΠΆΠΊΠ° Π²Π΅Π±-сайтов, Ρ€Π°Π·Ρ€Π°Π±ΠΎΡ‚ΠΊΠ° ΠΏΡ€ΠΎΠ³Ρ€Π°ΠΌΠΌΠ½ΠΎΠ³ΠΎ обСспСчСния, поисковая оптимизация