On Wed, 2007-08-01 at 13:20 -0700, CK wrote: > Hi, > > Engaged in "cleanup" project, attempting to understand the > uncommented decisions of predecessors. Inserting the following > contact form values into a DB: > > > $first = "'".addslashes($_POST['firstname'])."'"; > $last = "'".addslashes($_POST['lastname'])."'"; > $email = "'".addslashes($_POST['email'])."'"; > $address = "'".addslashes($_POST['address'])."'"; > $city = "'".addslashes($_POST['city'])."'"; > $state = "'".addslashes($_POST['state'])."'"; > $zip = "'".addslashes($_POST['zip'])."'"; > $comments = "'".addslashes($_POST['comments'])."'"; > $newsletter = "'".addslashes($_POST['signup'])."'"; > $contact = "'".addslashes($_POST['contact'])."'"; > > > I can understand addSlashes for the first and last name, but question > the need in the other variables, please inform. ALWAYS escape user submitted data. Just because you expect a certain input doesn't mean some Mr. Malicious posted it to your form. That said, addSlashes() is insecure for database queries. You should use the database specific escape function to properly escape content that is DB bound. Cheers, Rob. -- ........................................................... SwarmBuy.com - http://www.swarmbuy.com Leveraging the buying power of the masses! ........................................................... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
