| List: | General Discussion | « Previous MessageNext Message » | |
| From: | Dotan Cohen | Date: | September 19 2011 7:00am |
| Subject: | Re: Quotes around INSERT and SELECT statements' arguments from the mysql CLI and PHP | ||
| View as plain text | |||
On Mon, Sep 19, 2011 at 07:47, Reindl Harald <h.reindl@stripped> wrote: > what ugly style - if it is not numeric and you throw it to the database > you are one of the many with a sql-injection because if you are get > ivalid values until there you have done no sanitize before and do not here > > $sql="INSERT into table VALUES (" . (int)$id . ",'" . mysql_real_escape_string($val) > . "')"; > or using a abstraction-layer (simple self written class) > $sql="INSERT into table VALUES (" . (int)$id . ",'" . $db->escape_string($val) . > "')"; > > all other things in the context of hand-written queries are all the nice one we read > every > day in the news and should NOT recommended because the next beginner reading this > makes all > the mistakes again > Thanks, Reindi. I actually do something like this (simplified, in real code I use an array and a small custom function): $mysqlName=mysql_real_escape_string($name); Then, in the query I can see that all my variables start with $mysql* so I know that they have been sanitized. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com