Rob, Your opinion would have meant more had you offered a solution. The only hole that I am aware of is the likelihood that the imbedded query could get executed accidentally later. If the database is mysql, there is finally a mysql function for filtering and mysql_real_escape_string(), if I am not mistaken, should render attempts to store SQL in the database harmless. For other databases, you should look for something specific, but for the problem you described, addslashes() should work just fine. http://dev.mysql.com/tech-resources/articles/guide-to-php-security-ch3.pdf Warren -----Original Message----- From: Robert Cummings [mailto:robert@xxxxxxxxxxxxx] Sent: Thursday, October 04, 2007 10:28 AM To: Warren Vail Cc: 'Yamil Ortega'; php-general@xxxxxxxxxxxxx Subject: RE: inserting ´ in a db On Thu, 2007-10-04 at 10:18 -0700, Warren Vail wrote: > You need to escape the single quote, an easy way to do this is to run the > text thru the addslashes() filter. Obviously you can't run your entire > query thru the filter thru the filter because most of your quotes need to be > identified by the db. Here is what I do. > > $query = "insert table1(col1, col2, col3) values(" > .sprintf("%01d",$intval).", \"".addslashes($stringvalue)."\", " > ._CONSTANTINTVALUE.") "; > > Addslashes makes other troublesome values become harmless as well and can be > used to prevent SQL injection hacks. If someone injects a SQL query into > your data it will not be processed, but will be stored in the DB string > variable. Course in this case you need to be careful that if you copy the > table contents you don't then execute the imbedded query. AddSlashes() is crap. You have a security hole due to using the improper escape mechanism for your database. USE THE CORRECT ESCAPE MECHANISM FOR YOU DATABASE! Do not ever advocate use of the addSlashes() function for database queries unless it is the ONLY option available. Cheers, Rob. -- ........................................................... SwarmBuy.com - http://www.swarmbuy.com Leveraging the buying power of the masses! ........................................................... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
