CK wrote:
Hi,
Engaged in "cleanup" project, attempting to understand the uncommented
decisions of predecessors. Inserting the following contact form values
into a DB:
$first = "'".addslashes($_POST['firstname'])."'";
$last = "'".addslashes($_POST['lastname'])."'";
$email = "'".addslashes($_POST['email'])."'";
$address = "'".addslashes($_POST['address'])."'";
$city = "'".addslashes($_POST['city'])."'";
$state = "'".addslashes($_POST['state'])."'";
$zip = "'".addslashes($_POST['zip'])."'";
$comments = "'".addslashes($_POST['comments'])."'";
$newsletter = "'".addslashes($_POST['signup'])."'";
$contact = "'".addslashes($_POST['contact'])."'";
I can understand addSlashes for the first and last name, but question
the need in the other variables, please inform.
CK
More than likely what they were trying to do is prep/escape the data for insertion into the DB.
a better thing to use would be the actually DB escape function.
Mysql http://us2.php.net/mysql_real_escape_string
Other DB implementations have similar functions
This will escape the data for insertion into a DB, but do it on all chars that needed to be escaped.
Where addSlashes() works on only a subset of most of the chars that need escaping.
--
Jim Lucas
"Some men are born to greatness, some achieve greatness,
and some have greatness thrust upon them."
Twelfth Night, Act II, Scene V
by William Shakespeare
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
