|
|
Posted by rlee0001 on 02/26/06 20:15
> Jim Michaels wrote:
> "Jim Michaels" <jmichae3@nospam.yahoo.com> wrote in message
> news:I66dnW_XP7dWPHTenZ2dnUVZ_t-dnZ2d@comcast.com...
>
> OOPS! got the functions order-swapped. should strip semicolons out first.
> otherwise, generated html named entities will be all messed up.
> it would be even better to do a preg_match("/;/",$_POST'varchar']) to search
> for injection attempts and lockout the user.
> <?php
> $sqli = "INSERT INTO tableA VALUES ('" .
> mysql_real_escape_string(str_replace(";","",$_POST['varchar'])) . "'," .
> intval($_POST['integer']) . ")";
> ?>
Wow, as a PostgreSQL/PHP programmer I can honestly say that I am
shocked at some of the responses on this thread. Especially from
'noone'. But honestly, some of you guys know just enough to be
dangerous and not much else. Be careful around big red buttons ok?
-Robert
[Back to original message]
|