Ben wrote: > Graham Anderson said the following on 10/13/05 15:31: >> Is this a bit better ? >> As directed, I 'sanitized' all user input variables with trim and >> mysql_real_escape_string. >> >> thanks for everyone's patience as I am starting at ground zero >> concerning security. >> >> >> if( isset($_REQUEST['cmd']) OR isset($_REQUEST['path'] )) >> { >> // decrypt and santize variables >> $cmd = isset($_REQUEST['cmd']) ? cleanser(decrypt($_REQUEST >> ['cmd'])) : $cmd="null"; >> $path = isset($_REQUEST['path']) ? cleanser(decrypt($_REQUEST >> ['path'])) : $path="null"; >> . >> . >> . >> >> the cleanser script: >> function cleanser( $value ) >> { >> return mysql_real_escape_string( trim( $value ) ) ; >> } >> >> the 'decrypt' function uses MCRYPT_RIJNDAEL_256 with a $key stored >> outside the web folder. >> >> many thanks :) > > My understanding is that mysql_real_escape_string will only work while > you are connected to mysql. Not sure if that is the case in your > situation. That is incorrect. mysql_real_escape_string is a php function, not mysql. Cheers -- David Robley Computer programmers do it byte by byte. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php