Ronald Wiplinger wrote:
I added just into a input field" 19" enclosure which was displayed from the database as: 19\" enclosure That gives me some questions: 1. where the protecting slash comes from?
Probably magic_quotes_gpc
2. how can I get it away when I want to display that field?
1) Turn off magic_quotes_gpc in a htaccess file: php_flag magic_quotes_gpc 0 2) When you insert the data, use mysql_real_escape_string 3) When you display the data, use htmlspecialchars or htmlentities
3. The slash is not to see in phpmyadmin, why not?
It probably has code to pick up magic_quotes_gpc and work around it.
1. what else do I need to take care with input fields and if they are going to a mysql database?
Use mysql_real_escape_string
2. can I use a function for that kind of protection for each field - or even better just flag it in php to protect?
There is no flag, you need to use escape_string for each field.
3. is HTTP_REFERER & session-id enough to make sure that no variables can be injected?
No way. Never ever ever ever trust user data (did I mention never ever?). Authenticated users can do just as much damage as an unauthenticated user.
Read http://phpsec.org/projects/guide/ before you touch any more code. -- Postgresql & php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
