It might be bad database design yes, however, it all depends on what he is trying to do. I do it your way Jochem (normalizing the database), but in some cases the budget to do that might not be big enough. If the client gives you a task and an budget, normalizing the database might be a "waste" of time. I do recommend he should do some reading about SQL injection, phpsec.org is probably good enough. But to get him going he could just learn that he should always mysql_real_escape_string on strings, and if he expect integers to come, use the sprintf and %d. You can read my blog http://www.lauri.se/article/4/security-hole-in-golfdatase about a big and important golf organization in Sweden and how they screwed up about their security. Hrm, I might be wrong here :) /Peter -----Original Message----- From: Jochem Maas [mailto:jochem@xxxxxxxxxxxxx] Sent: Tuesday, August 29, 2006 8:37 PM To: rv@xxxxxxxx Cc: php-general@xxxxxxxxxxxxx Subject: Re: replace single and double quotes Reinhart Viane wrote: > This is the code is use to insert/update text into a database field: > > $sqledit="update activities set act_extra='$_POST[editextra]', > act_extra_fr='$_POST[editextrafr]' where act_id=$_POST[editid]"; this indicates 'bad' database design ... because adding a language involves having to change the database schema. I personally think that there should be no need to change the database schema and/or queries and/or code just because the client wants an extra language. it also indicates that you have a glaring SQL injection problem. what happens when I craft a POST request that contains an 'editid' parameter with the following in it: '1 OR 1' or '1; DELETE * FROM activities' google 'SQL injection', do some reading and get into the habit of sanitizing your user input. > > Now both $_POST[editextra] and $_POST[editextrafr] can contain single or > double quotes. > So the query almost always gives me an error. > > I know I have to replace " with ", but I do not know how to replace the WRONG - you only replace " with " when you OUTPUTTING the string as part of a webpage. the database should contain the actual > single quote so it is shown as a single quote on a webpage when I get it > from the database mysql_real_escape_string() search this archive; there is plenty of discussion about escaping data so that it can be inserted into a database (mostly concerning MySQL). > > I have been looking into str_replace and preg_replace. But what I really > need is a solution that 'replaces' single quotes, double quotes en curly > quotes so I tackle all possible problems and the same text as it was inputed > in the textarea is shown on the webpage. > > Thx in advance > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
