Reply to Re: Editing a string to add a \ before a '

Your name:

Reply:


Posted by Andy Hassall on 02/26/06 15:29

On Tue, 7 Feb 2006 23:46:17 -0800, "Jim Michaels" <jmichae3@nospam.yahoo.com>
wrote:

>how about one line with a little more security:
>
> <?php
>$sqli = "INSERT INTO tableA VALUES ('" .
>str_replace(";","",mysql_real_escape_string($_POST['varchar'])) . "'," .
>intval($_POST['integer']) . ")";
>?>

If you're escaping the value correctly with mysql_real_escape_string and have
enclosed that in single quotes, there's no need to remove semicolons. All
you're doing is corrupting data; you're not adding any more security.

--
Andy Hassall :: andy@andyh.co.uk :: http://www.andyh.co.uk
http://www.andyhsoftware.co.uk/space :: disk and FTP usage analysis tool

[Back to original message]
Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация