Re: Slashes or no slashes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




In the case that your comparing a field to a field in the database (the
field name)
do you escape that or because it is hardcoded you dont need to?
My thoughts are that you need to escape all data going in.

Correct. A field name is not data though. You've already validated it (somehow, either by hardcoding it, or checking it against field names to make sure it's a proper field and doesn't contain weird chars).

But I do not know if it will match.

EG:

/**
* updateProduct */
function updateProduct($ProductName, $field, $value){
$q = "UPDATE ".TBL_PRODUCTS." SET ".$field." =
'".mysql_real_escape_string($value)."' WHERE ProductName =
'".mysql_real_escape_string($ProductName)."'";
return $this->query($q);
}

Do I escape $field? mysql_real_escape_string($field)?

You can only escape data, not field or table (or database) names.

--
Postgresql & php tutorials
http://www.designmagick.com/


--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux