Karl DeSaulniers wrote:
Hi Chris,
On Dec 14, 2009, at 8:09 PM, Chris wrote:
Problem 1 is sql injection. Wrap each variable in a
mysql_real_escape_string call:
insert into table (...) values ('" .
mysql_real_escape_string($username) . "' ....
At one point I did have the mysql_real_escape_string() and it worked the
same as without as far as populating the database.
Did you try names with single quotes? (Tim O'Reilly is a common example
to try).
But when I would view results, it didnt read anything from the database.
Sure it went in? Did you see the data when you viewed the table in
phpmyadmin or some other tool?
Again you need to escape all your data (except $min, $max_results -
just make sure they are always integers).
Those are so I can control the number of items shown per page.
I realise that. mysql_real_escape_string is used for data in your query,
and may cause problems if used in limit clauses. If you end up with this
for example:
select * from table limit mysql_real_escape_string('blah');
of course it's not going work.
Hence the check to make sure $min and $max_results are int's before
passing them to the query so if anyone messes with them it won't break
your queries.
if (!is_int($min)) {
$min = 0;
}
if (!is_int($max_results)) {
$max_results = 5;
}
Basically the result page would not show anything in the database unless
it was inserted in the database using the $_POST method.
That still suggests an error with the insert.
--
Postgresql & php tutorials
http://www.designmagick.com/
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
