On Wed, August 1, 2007 3:27 pm, Jay Blanchard wrote: > [snip] > > $first = "'".addslashes($_POST['firstname'])."'"; > $last = "'".addslashes($_POST['lastname'])."'"; > $email = "'".addslashes($_POST['email'])."'"; > $address = "'".addslashes($_POST['address'])."'"; > $city = "'".addslashes($_POST['city'])."'"; > $state = "'".addslashes($_POST['state'])."'"; > $zip = "'".addslashes($_POST['zip'])."'"; > $comments = "'".addslashes($_POST['comments'])."'"; > $newsletter = "'".addslashes($_POST['signup'])."'"; > $contact = "'".addslashes($_POST['contact'])."'"; > > > I can understand addSlashes for the first and last name, but question > the need in the other variables, please inform. > [/snip] > > There is safety in numbers! While a lot of these fields may not ever > contain anything that would need to be escaped the name fields and > comments field would definitely need this. Also, if this is filled out > by 'external' users you do not want them to be able to enter anything > (like a SQL injection attack in the comments field) that might cause a > problem of some sort. Another option would be htmlentities() addslashes is the old, wrong, not-ready-for-international-charset prime time version of http://php.net/mysql_real_escape_string. Change addslashes to that. htmlentities is for BROWSER OUTPUT and has zip to do with validation. But you would want to use it if you were outputting the data to the browser at some later date. And, finally, you need to escape ALL data going to MySQL because you don't KNOW that a Bad Guy isn't trying to cram all sorts of mean and evil stuff into all your fields. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
