Ronald Wiplinger wrote:
I added just into a input field"
19" enclosure
which was displayed from the database as:
19\" enclosure
That gives me some questions:
1. where the protecting slash comes from?
Probably magic_quotes_gpc
2. how can I get it away when I want to display that field?
1) Turn off magic_quotes_gpc in a htaccess file:
php_flag magic_quotes_gpc 0
2) When you insert the data, use mysql_real_escape_string
3) When you display the data, use htmlspecialchars or htmlentities
3. The slash is not to see in phpmyadmin, why not?
It probably has code to pick up magic_quotes_gpc and work around it.
1. what else do I need to take care with input fields and if they are
going to a mysql database?
Use mysql_real_escape_string
2. can I use a function for that kind of protection for each field - or
even better just flag it in php to protect?
There is no flag, you need to use escape_string for each field.
3. is HTTP_REFERER & session-id enough to make sure that no variables
can be injected?
No way. Never ever ever ever trust user data (did I mention never
ever?). Authenticated users can do just as much damage as an
unauthenticated user.
Read http://phpsec.org/projects/guide/ before you touch any more code.
--
Postgresql & php tutorials
http://www.designmagick.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php