Re: Quotes in querys

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Jan 14, 2009 at 11:34 AM, MikeP <mpeloso@xxxxxxxxxxxxx> wrote:
>
> ""Eric Butera"" <eric.butera@xxxxxxxxx> wrote in message
> news:6a8639eb0901140825h1d603d01i3ffcce919dca6ad1@xxxxxxxxxxxxxxxxx
>> On Wed, Jan 14, 2009 at 11:17 AM, MikeP <mpeloso@xxxxxxxxxxxxx> wrote:
>>> Hello,
>>> I am trying to get the following to work:
>>> "Select Netid from Users where Netid = '$_SESSION[phpCAS][user]'"
>>> Netid is a string type.
>>> No matter where of if I put the quotes, I still get array[phpCAS] not the
>>> value.
>>> If there is anything I still have trouble with after all these years its
>>> quoting variables.
>>> Help?
>>> Thanks
>>> Mike
>>>
>>>
>>>
>>> --
>>> PHP General Mailing List (http://www.php.net/)
>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>>
>>>
>>
>> Dude we just helped you with this same exact thing the other day.  And
>> you're still allowing SQL injection.
>
> No, actually I test my querys first and then wrap them in
> mysql_real_escape_string().
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

Mike,

Well to be fair, I don't see any escaping in "Select Netid from Users
where Netid = '$_SESSION[phpCAS][user]'".  You could write:

$sql = sprintf(
"Select Netid from Users where Netid = '%s'",
mysql_real_escape_string($_SESSION['phpCAS']['user'])
);

and not have any of these problems.  If you're escaping outside of
that statement, then it's potentially tainting your data.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux