On Mon, Sep 19, 2011 at 07:47, Reindl Harald <h.rei...@thelounge.net> wrote:
> what ugly style - if it is not numeric and you throw it to the database
> you are one of the many with a sql-injection because if you are get
> ivalid values until there you have done no sanitize before and do not here
>
> $sql="INSERT into table VALUES (" . (int)$id . ",'" .
> mysql_real_escape_string($val) . "')";
> or using a abstraction-layer (simple self written class)
> $sql="INSERT into table VALUES (" . (int)$id . ",'" .
> $db->escape_string($val) . "')";
>
> all other things in the context of hand-written queries are all the nice one
> we read every
> day in the news and should NOT recommended because the next beginner reading
> this makes all
> the mistakes again
>
Thanks, Reindi. I actually do something like this (simplified, in real
code I use an array and a small custom function):
$mysqlName=mysql_real_escape_string($name);
Then, in the query I can see that all my variables start with $mysql*
so I know that they have been sanitized.
--
Dotan Cohen
http://gibberish.co.il
http://what-is-what.com
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=arch...@jab.org
