Reinhart Viane wrote: > About the language remark: > I believe you try to say I need to find a way that the client can add 25 > languages without me having to change the database layout or the coding? > Well I can assure you this will not be the fact. The client only needs these > two languages but maybe I should look into it anyway it's more a of a theoretical thing. but if the client wants french and flemish (or dutch) now there is a distinct chance that they will want to add dutch, english and/or german in the forseeable future... going by my experience of building multilingual sites for [west] european companies (I have one client that actually wanted flemish as well as dutch so that they could tailor texts in the flemish pages specifically to [search] terms regularly used in belgium). your db design may very well be sufficient for this particular case. > > About SQl injection: > I must say this is very interesting. > I always wondered what are does and donts when inserting data from a form > into a database and how to check someone did not enter any php code. > Besides the google lookup is there maybe an site or paper dedicated to this? phpsec.org - recommended to read it back to front! > > Thx again, didn't think this question was about to bring up what I was > looking for in the back of my head > > > -----Oorspronkelijk bericht----- > Van: Jochem Maas [mailto:jochem@xxxxxxxxxxxxx] > Verzonden: dinsdag 29 augustus 2006 15:37 > Aan: rv@xxxxxxxx > CC: php-general@xxxxxxxxxxxxx > Onderwerp: Re: replace single and double quotes > > Reinhart Viane wrote: >> This is the code is use to insert/update text into a database field: >> >> $sqledit="update activities set act_extra='$_POST[editextra]', >> act_extra_fr='$_POST[editextrafr]' where act_id=$_POST[editid]"; > > this indicates 'bad' database design ... because adding a language involves > having to change the database schema. I personally think that there should > be > no need to change the database schema and/or queries and/or code just > because > the client wants an extra language. > > it also indicates that you have a glaring SQL injection problem. what > happens > when I craft a POST request that contains an 'editid' parameter with the > following in it: > > '1 OR 1' > > or > > '1; DELETE * FROM activities' > > google 'SQL injection', do some reading and get into the habit of sanitizing > your user input. > >> Now both $_POST[editextra] and $_POST[editextrafr] can contain single or >> double quotes. >> So the query almost always gives me an error. >> >> I know I have to replace " with ", but I do not know how to replace > the > > WRONG - you only replace " with " when you OUTPUTTING the string as part > of a > webpage. the database should contain the actual > >> single quote so it is shown as a single quote on a webpage when I get it >> from the database > > mysql_real_escape_string() > > search this archive; there is plenty of discussion about escaping data so > that it > can be inserted into a database (mostly concerning MySQL). > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
