Pierre Chifflier a écrit : > Hi, > > It's not sufficient, there are way more methods to inject SQL data. Each > database provides a function to escape characters, so in case of MySQL > you should use mysql_real_escape_string: > http://fr.php.net/mysql_real_escape_string >
Here, the problem is not to escape a string but to clean a filename to be able to store the file, store it's name in DB and permit to use the stored name to get the file. Escaping the filename is not the complete solution. All chars which are not allowed must be deleted or replace by an alternative char. Regards Julien _______________________________________________ Glpi-user mailing list [email protected] https://mail.gna.org/listinfo/glpi-user
