On 03/24/2016 07:57 AM, Always Learning wrote:
I should have imposed strict controls on the length of
parameters passed to programmes via web pages $_GET[] such as...
and reject any incoming string containing ' or " in addition to PHP's
strip_tags and (deprecated in later versions)
mysql_real_escape_string($_GET['....'],$link);
No. No. Nooooooooo.
You're missing the point that everyone is trying to communicate to you.
Do not use string concatenation. Do not use sprintf. Do not use
mysql_real_escape_string().
Use prepared statements.
http://php.net/manual/en/mysqli.quickstart.prepared-statements.php
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
