To focus on mysql_real_escape_string, I am recapping... questions below
QUOTE:==========
Instead of doing this (for an imaginary table):
$sql = "insert into table1(field1, field2) values ('$value1', '$value2')";
do
$sql = "insert into table1(field1, field2) values ('" .
mysql_real_escape_string($value1) . "', '" .
mysql_real_escape_string($value2) . "')";
Now $value1 and $value2 can only be used as data, they can't be used
against you.
If you don't do that, try adding a last name of O'Reilly - your code
will break because of the ' in the name.
When you say "escape all your inputs" - just what do you mean? Does that
mean I need some special routines that have to be repeated over and over
every time there is an input... but what do you mean by an "input"? And,
from looking at all the comments in the manual, it's not clear just
where to stop...
"input" means anything a user gives you. Whether it's a first name, last
name, a comment in a blog, a website url - anything you get from a user
must be escaped.
END QUOTE ===============
So, I am more confused than ever...
TWO QUESTIONS:
1. It seems to me that submitting username, password and database_name
is pretty dangerous.
How does one deal with that? Do you use mysql_real_escape_string?
e.g.
<?php
$db_host = 'localhost';
$db_user = 'root';
$db_pwd = 'gugus@#$';
$database = 'join_tutorial';
$table = 'authorBook';
if (!mysql_connect($db_host, $db_user, $db_pwd))
die("Can't connect to database");
if (!mysql_select_db($database))
die("Can't select database");
// sending query
$result = mysql_query("SELECT * FROM {$table}");
2. How do you use mysql_real_escape_string on a string entered in a form
page with input and $_POST where the inputs are strings like $titleIN,
$authorIN....etc.?
--
Phil Jourdan --- pj@xxxxxxxxxxxxx
http://www.ptahhotep.com
http://www.chiccantine.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
