Warren Vail wrote: > Just happened to think of one other thing you might want to be aware of; > > When a query behaves like this, your site is usually vulnerable to the "Sql > Injection Hack". Basically this is where someone sticks an insert query > into one of your data form fields (quotes are involved), and the additional > query is used for something like adding themselves as an administrator to > your site. I believe the addslashes I mentioned before would fix this for > this field, but you may want to check other text fields on your forms. the way I read it he had an output problem not an input problem. but if it is an input problem then is does indeed have an SQL injection vulnerability, assuming he is using MySQL (other dbs have different functions) I would recommend using mysql_escape_string()/mysql_real_escape_string() instead of addslashes() because they are far more robust and clever functions dedicated to proper escaping of data to be put into a query. > > Warren Vail > > >> -----Original Message----- >> From: João Cândido de Souza Neto [mailto:joao@xxxxxxxxxxxxxxxxxxxxx] >> Sent: Thursday, August 10, 2006 11:11 AM >> To: php-general@xxxxxxxxxxxxx >> Subject: INPUT >> >> Hi everyone, >> >> Excuse me by off-topic. >> >> I´ve been a little trouble in showing data in html form. >> >> e.g.: In a e-commerce my client have a "Sony 29" TV" that >> when i put it in a input value, it seems just "Sony 29" it´s >> caused by the quote in the data, someone knows how can i fix it? >> >> Thanks all. >> >> >> -- >> João Cândido de Souza Neto >> Curitiba Online >> joao@xxxxxxxxxxxxxxxxxxxxx >> (41) 3324-2294 (41) 9985-6894 >> http://www.curitibaonline.com.br >> >> -- >> PHP General Mailing List (http://www.php.net/) To >> unsubscribe, visit: http://www.php.net/unsub.php >> >> > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
