From: Reindl Harald Date: September 19 2011 11:27pm Subject: Re: Quotes around INSERT and SELECT statements' arguments from the mysql CLI and PHP List-Archive: http://lists.mysql.com/mysql/225780 Message-Id: <4E77CFD7.4080709@thelounge.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig3BA8B3D186B992D6A7F14918" --------------enig3BA8B3D186B992D6A7F14918 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Am 20.09.2011 01:23, schrieb Dotan Cohen: > On Tue, Sep 20, 2011 at 01:48, Reindl Harald w= rote: >> i would use a samll class holding the db-connection with insert/update= -methods >> pass the whole record-array, lokk what field types are used in the tab= le >> and use intval(), doubleval() or mysql_real_escape-String >> > By the way, the database connection is include()ed from a file outside > the webroot. This way if Apache is ever compromised or for whatever > reason stops parsing the PHP, the resulting code returned to the > browser won't have the daabase info (especially the password) if stops parsing - yes, but not relevant if it is in a include if the machine is compromised it does not matter someone could read your files can read also the include outside the docro= ot --------------enig3BA8B3D186B992D6A7F14918 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk53z9gACgkQhmBjz394AnlkhACghVfxzXrKJTiFCS6JPT6jIVY0 dJsAn11psDkun9OAPjUfqK4bBYu1ZkTp =n9r3 -----END PGP SIGNATURE----- --------------enig3BA8B3D186B992D6A7F14918--