Warren Vail wrote: > Many of the older PHP implementations don't have the mysql_escape_string > function, if not addslashes should work.... this is true. > I would be interested to know > what might get past the addslashes function that the mysql_escape_string > function catches. not sure about that but one assumes MySQL is better equipped to know how to properly/safely escape data - besides mysql_real_escape_string() is character set aware. on top of this you don't know what the future will bring mysql(_real)_escape_string() is better in terms of future proofing. if anyone answer Warren's question I would be interested to read about it too :-) > > Warren Vail > > >> -----Original Message----- >> From: Jochem Maas [mailto:jochem@xxxxxxxxxxxxx] >> Sent: Thursday, August 10, 2006 11:31 AM >> To: Warren Vail >> Cc: 'João Cândido de Souza Neto'; php-general@xxxxxxxxxxxxx >> Subject: Re: INPUT >> >> Warren Vail wrote: >>> Just happened to think of one other thing you might want to >> be aware >>> of; >>> >>> When a query behaves like this, your site is usually >> vulnerable to the >>> "Sql Injection Hack". Basically this is where someone sticks an >>> insert query into one of your data form fields (quotes are >> involved), >>> and the additional query is used for something like adding >> themselves >>> as an administrator to your site. I believe the addslashes I >>> mentioned before would fix this for this field, but you may >> want to check other text fields on your forms. >> >> the way I read it he had an output problem not an input problem. >> but if it is an input problem then is does indeed have an SQL >> injection vulnerability, assuming he is using MySQL (other >> dbs have different functions) I would recommend using >> mysql_escape_string()/mysql_real_escape_string() instead of >> addslashes() because they are far more robust and clever >> functions dedicated to proper escaping of data to be put into a query. >> >>> Warren Vail >>> >>> >>>> -----Original Message----- >>>> From: João Cândido de Souza Neto >> [mailto:joao@xxxxxxxxxxxxxxxxxxxxx] >>>> Sent: Thursday, August 10, 2006 11:11 AM >>>> To: php-general@xxxxxxxxxxxxx >>>> Subject: INPUT >>>> >>>> Hi everyone, >>>> >>>> Excuse me by off-topic. >>>> >>>> I´ve been a little trouble in showing data in html form. >>>> >>>> e.g.: In a e-commerce my client have a "Sony 29" TV" that >> when i put >>>> it in a input value, it seems just "Sony 29" it´s caused >> by the quote >>>> in the data, someone knows how can i fix it? >>>> >>>> Thanks all. >>>> >>>> >>>> -- >>>> João Cândido de Souza Neto >>>> Curitiba Online >>>> joao@xxxxxxxxxxxxxxxxxxxxx >>>> (41) 3324-2294 (41) 9985-6894 >>>> http://www.curitibaonline.com.br >>>> >>>> -- >>>> PHP General Mailing List (http://www.php.net/) To >> unsubscribe, visit: >>>> http://www.php.net/unsub.php >>>> >>>> >> > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
