Am 19.09.2011 03:00, schrieb Hank:
> I agree with Brandon's suggestions, I would just add when using numeric
> types in PHP statements where you have a variable replacement, for instance:
>
> $sql="INSERT into table VALUES ('$id','$val')";
>
> where $id is a numeric variable in PHP and a numeric field in the table,
> I'll include the $id in single quotes in the PHP statement, so even if the
> value of $id is null, alpha, or invalid (not numeric) it does not generate a
> mysql syntax error
what ugly style - if it is not numeric and you throw it to the database
you are one of the many with a sql-injection because if you are get
ivalid values until there you have done no sanitize before and do not here
$sql="INSERT into table VALUES (" . (int)$id . ",'" .
mysql_real_escape_string($val) . "')";
or using a abstraction-layer (simple self written class)
$sql="INSERT into table VALUES (" . (int)$id . ",'" . $db->escape_string($val)
. "')";
all other things in the context of hand-written queries are all the nice one we
read every
day in the news and should NOT recommended because the next beginner reading
this makes all
the mistakes again
signature.asc
Description: OpenPGP digital signature
