From: Reindl&nbsp;Harald
Date: September 19 2011 3:11pm
Subject: Re: Quotes around INSERT and SELECT statements' arguments from the
 mysql CLI and PHP
List-Archive: http://lists.mysql.com/mysql/225768
Message-Id: <4E775BA7.7090807@thelounge.net>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="------------enig09D1C42EEE10E545A92F7FCD"

--------------enig09D1C42EEE10E545A92F7FCD
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable


Am 19.09.2011 16:55, schrieb Hank:
>>
>> what ugly style - if it is not numeric and you throw it to the databas=
e
>> you are one of the many with a sql-injection because if you are get
>> ivalid values until there you have done no sanitize before and do not =
here
>>
>>
> It's a matter of opinion.  I never said the data wasn't sanitized (it i=
s).
>  But sometimes calculated values or bugs in PHP code end up with a null=

> variable field.  I was just suggesting the choice between two errors --=
 one
> syntax which will generate a hard failure of the query and likely whate=
ver
> page, or a soft logical error, which won't. In either case, I have erro=
r
> trapping to catch both types of errors and alert me to them. I prefer t=
he
> errors to be logical ones and not syntax errors.
>=20
>=20
>> $sql=3D"INSERT into table VALUES (" . (int)$id . ",'" .
> mysql_real_escape_string($val) . "')";
>> or using a abstraction-layer (simple self written class)
>> $sql=3D"INSERT into table VALUES (" . (int)$id . ",'" .
> $db->escape_string($val) . "')";
>=20
> I think what you posted is ugly "style" which makes reading the actual =
SQL
> in PHP code much harder to read and debug.  The data validation should =
take
> place elsewhere long before it gets to constructing the SQL statement.

it is not because it is clear that it is sanitized instead hope and pray
thousands of layers somewhere else did it - for a inline-query the best
solution, if you are using a framework you will never have the "insert in=
to"
at this place!

what i meant as ugly is that you are somewhere writing an inline-query an=
d
are not sure if it is a number or not - so it is NOT sanitized before
because if you tell me it is you sanitze does not work if you get a non-i=
nteger
at this point and you sanitze-method has to throw the error long before
if it is really working


--------------enig09D1C42EEE10E545A92F7FCD
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk53W6cACgkQhmBjz394AnkZBwCcCX2iNthsBgrjHZaZMChOwHJ9
v6cAoIvSgP/xFJZr2Q8Xw3bgwse+Lld+
=efaE
-----END PGP SIGNATURE-----

--------------enig09D1C42EEE10E545A92F7FCD--