On Sun, 2010-03-14 at 11:15 +0100, Rene Veerman wrote: > On Sun, Mar 14, 2010 at 7:18 AM, Paul M Foster <paulf@xxxxxxxxxxxxxxxxx> wrote: > > > > Tedd's perfectly capable of speaking for himself, but I can tell you > > he's been on this list for a long time, and his skills are plenty > > adequate for this task. He's just asking for second opinions. > > > Wouldn't someone with adequate DB skills know if he(/she) even needs > to build a datamodel, and given the simplicity of this one, how? Based > on what i mentioned earlier, type and amount of use of stored reports? > > I don't mind noobishness in any area, but i have learned to keep code > as simple as possible. > > BTW; > - as always, i recommend adodb.sf.net for DB abstractions. > - if you are storing in DB and displaying from DB later you need to > prevent code injections (sql, html, js, flash) by pushing all strings > used in sql insert- and update-fields; > $sql = 'insert into table (field1_int, field2_string,etc) values > ('.$field1.', "'.antiSQLinjection($field2).'", ...); > > I'm using this function atm, maybe someone can improve upon it. This > disables all sql injections, and strips all html, js & flash. > > function antiSQLinjection ($string) { > > //anti SQL injections: > if (phpversion() >= '4.3.0') > { > $string = mysql_real_escape_string($string); > } > else > { > $string = mysql_escape_string($string); > } > > if(get_magic_quotes_gpc()) // prevents duplicate backslashes > { > $string = stripslashes($string); > } > > //anti HTML/JS/flash injections (into searchterms, for instance): > $string = strip_tags ($string); > > return $string; > } > That function won't always work. You're using a PHP version check for mysql_real_escape_string() when the most likely failure point for it is if no database connection has been opened. Also, you shouldn't strip the tags from a string that's being inserted into the database. strip_tags() is for the display of data on a web page. It's best practice not to alter the actual data you've stored but to convert it once it's displayed. Don't forget that the browser display may not be the only use for that data. Thanks, Ash http://www.ashleysheridan.co.uk