Re: Re: PHP MySQL insert

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Alain Reguera Delgado wrote:

you could try:

1. get all form variables into an array


fine


2. validate values
Good, but do this step as you put the values into a separate array, don't put all the values into the array first and then validate them later... make sure the input received is input expected and then save only the input to the array that passes the validation/filtering tests 


3. convert all values into entities using htmlentities()
Why do you want to do this before saving to the database? This step has absolutely no bearing on preparing the statement for insertion into a database. It won't protect against SQL injection. Also, you will never be able to do anything with this data other than use it for HTML output (unless you try to reverse the entities, which seems like an awful lot of work to me). It's best to save the raw data as entered and escape it (with htmlentities() or something else) ONLY on output.
As I mentioned in my last post to this thread, the best way to escape a string for insertion into a database (and protect against SQL injection) is to use the escape function for the particular database -- mysql_real_escape_string() in this case. You should never use htmlentities() to escape data before saving it to a database. Do that only after you've pulled data from the database and are outputting it somewhere (like on a Web page). 


4. build sql query (do some tests 'til get it right)
5. execute the built query (with proper db function)

by now, commas aren't a problem, they are limited between sql query's
quotes. If some quotes are inserted as value they are previously converted to its entities and do not break the sql query. 

This is why you use mysql_real_escape_string(), etc. -- not htmlentities().


as previously said in this thread, the problem is on quoting and maybe
on converting the values to entities, to prevent some quote break the
sql structure.
You don't need to convert the values to HTML entities when saving to a database. That's not going to prevent this problem. 

--
Ben Ramsey
http://benramsey.com/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux