On Thu, 2007-10-04 at 10:18 -0700, Warren Vail wrote:
> You need to escape the single quote, an easy way to do this is to run the
> text thru the addslashes() filter. Obviously you can't run your entire
> query thru the filter thru the filter because most of your quotes need to be
> identified by the db. Here is what I do.
>
> $query = "insert table1(col1, col2, col3) values("
> .sprintf("%01d",$intval).", \"".addslashes($stringvalue)."\", "
> ._CONSTANTINTVALUE.") ";
>
> Addslashes makes other troublesome values become harmless as well and can be
> used to prevent SQL injection hacks. If someone injects a SQL query into
> your data it will not be processed, but will be stored in the DB string
> variable. Course in this case you need to be careful that if you copy the
> table contents you don't then execute the imbedded query.
AddSlashes() is crap. You have a security hole due to using the improper
escape mechanism for your database.
USE THE CORRECT ESCAPE MECHANISM FOR YOU DATABASE!
Do not ever advocate use of the addSlashes() function for database
queries unless it is the ONLY option available.
Cheers,
Rob.
--
...........................................................
SwarmBuy.com - http://www.swarmbuy.com
Leveraging the buying power of the masses!
...........................................................
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
