On 01/04/07, Richard Lynch <[EMAIL PROTECTED]> wrote:
So, after a recent thread on data filtering, I'm wondering...
Is this "good enough" in ALL possible Unicode/charset situations:
$foo_id = (int) $_POST['foo_id'];
$query = "insert into whatever(foo_id) values($foo_id)";
Or is it possible, even theoretically possible, for a sequence of:
[-]?[0-9]+
to somehow run afoul of ANY charset?
Depends how standard you want to get: '--' is the SQL comment
character, so if you have something like:
SELECT ... WHERE column-$foo > 3 AND password='$password'
and foo is a negative integer, then in ANSI SQL, you've just commented
out everything after 'column', leaving you with:
SELECT ... WHERE column
Mysql protects you from that by demanding a space after the comment sequence.
-robin
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
