On 01/04/07, Richard Lynch <ceo@xxxxxxxxx> wrote:
So, after a recent thread on data filtering, I'm wondering... Is this "good enough" in ALL possible Unicode/charset situations: $foo_id = (int) $_POST['foo_id']; $query = "insert into whatever(foo_id) values($foo_id)"; Or is it possible, even theoretically possible, for a sequence of: [-]?[0-9]+ to somehow run afoul of ANY charset?
Depends how standard you want to get: '--' is the SQL comment character, so if you have something like: SELECT ... WHERE column-$foo > 3 AND password='$password' and foo is a negative integer, then in ANSI SQL, you've just commented out everything after 'column', leaving you with: SELECT ... WHERE column Mysql protects you from that by demanding a space after the comment sequence. -robin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
