RE: $_POST vs $_REQUEST

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



From: Rene Veerman [mailto:rene7705@xxxxxxxxx] 
> On Mon, Feb 22, 2010 at 9:39 PM, Slack-Moehrle
>>
>> Single quotes is best, correct to prevent sql injection?
> 
> sql injection fixing is an evolving art, but you can start by pushing
> all variables that can be changed by end-users going into a database
> through a marshalling-function fixSQLinjectionToDB ($var) { return
> addslashes($var); };
> addslashes is the minimum fix i believe, but google around and give us
> back the up-to-date uber-fix-function please :)

Slash is the wrong character. The correct SQL escape character is the
single quote.

The best way to prepare text fields is to use the DB specific escape
functions on each text field before assembling the command string, i.e.
pg_escape_string(). But that is after all fields have been sanitized and
validated.

In addition, if magic_quotes is turned on, you also need to remove them
before doing the validation. The contributed notes in the online manual
have some good suggestions on how to accomplish this.

Bob McConnell

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux