Many of the older PHP implementations don't have the mysql_escape_string function, if not addslashes should work.... I would be interested to know what might get past the addslashes function that the mysql_escape_string function catches. Warren Vail > -----Original Message----- > From: Jochem Maas [mailto:jochem@xxxxxxxxxxxxx] > Sent: Thursday, August 10, 2006 11:31 AM > To: Warren Vail > Cc: 'João Cândido de Souza Neto'; php-general@xxxxxxxxxxxxx > Subject: Re: INPUT > > Warren Vail wrote: > > Just happened to think of one other thing you might want to > be aware > > of; > > > > When a query behaves like this, your site is usually > vulnerable to the > > "Sql Injection Hack". Basically this is where someone sticks an > > insert query into one of your data form fields (quotes are > involved), > > and the additional query is used for something like adding > themselves > > as an administrator to your site. I believe the addslashes I > > mentioned before would fix this for this field, but you may > want to check other text fields on your forms. > > the way I read it he had an output problem not an input problem. > but if it is an input problem then is does indeed have an SQL > injection vulnerability, assuming he is using MySQL (other > dbs have different functions) I would recommend using > mysql_escape_string()/mysql_real_escape_string() instead of > addslashes() because they are far more robust and clever > functions dedicated to proper escaping of data to be put into a query. > > > > > Warren Vail > > > > > >> -----Original Message----- > >> From: João Cândido de Souza Neto > [mailto:joao@xxxxxxxxxxxxxxxxxxxxx] > >> Sent: Thursday, August 10, 2006 11:11 AM > >> To: php-general@xxxxxxxxxxxxx > >> Subject: INPUT > >> > >> Hi everyone, > >> > >> Excuse me by off-topic. > >> > >> I´ve been a little trouble in showing data in html form. > >> > >> e.g.: In a e-commerce my client have a "Sony 29" TV" that > when i put > >> it in a input value, it seems just "Sony 29" it´s caused > by the quote > >> in the data, someone knows how can i fix it? > >> > >> Thanks all. > >> > >> > >> -- > >> João Cândido de Souza Neto > >> Curitiba Online > >> joao@xxxxxxxxxxxxxxxxxxxxx > >> (41) 3324-2294 (41) 9985-6894 > >> http://www.curitibaonline.com.br > >> > >> -- > >> PHP General Mailing List (http://www.php.net/) To > unsubscribe, visit: > >> http://www.php.net/unsub.php > >> > >> > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
