From: Reindl&nbsp;Harald
Date: September 19 2011 4:47am
Subject: Re: Quotes around INSERT and SELECT statements' arguments from the
 mysql CLI and PHP
List-Archive: http://lists.mysql.com/mysql/225757
Message-Id: <4E76C95E.5070707@thelounge.net>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="------------enig220C5B58AA309ADD97F505AD"

--------------enig220C5B58AA309ADD97F505AD
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable


Am 19.09.2011 03:00, schrieb Hank:
> I agree with Brandon's suggestions, I would just add when using numeric=

> types in PHP statements where you have a variable replacement, for inst=
ance:
>=20
> $sql=3D"INSERT into table VALUES ('$id','$val')";
>=20
> where $id is a numeric variable in PHP and a numeric field in the table=
,
> I'll include the $id in single quotes in the PHP statement, so even if =
the
> value of $id is null, alpha, or invalid (not numeric) it does not gener=
ate a
> mysql syntax error

what ugly style - if it is not numeric and you throw it to the database
you are one of the many with a sql-injection because if you are get
ivalid values until there you have done no sanitize before and do not her=
e

$sql=3D"INSERT into table VALUES (" . (int)$id . ",'" . mysql_real_escape=
_string($val) . "')";
or using a abstraction-layer (simple self written class)
$sql=3D"INSERT into table VALUES (" . (int)$id . ",'" . $db->escape_strin=
g($val) . "')";

all other things in the context of hand-written queries are all the nice =
one we read every
day in the news and should NOT recommended because the next beginner read=
ing this makes all
the mistakes again


--------------enig220C5B58AA309ADD97F505AD
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk52yV8ACgkQhmBjz394AnkPMQCfQ4nvemoWSouQsKInq/bT7Fh4
1IIAoJM8CNs/PBhwAep+MOJJUy4458xy
=qhxJ
-----END PGP SIGNATURE-----

--------------enig220C5B58AA309ADD97F505AD--