Another way I validate input is by using settype(); For instance:
settype($id, "integer"); I use addslashes and settype on all data coming from a browser that ends up being using in a query. (abs will convert negative numbers, which may be what you want, but then again. <G>) Jaime Bozza -----Original Message----- From: Nathan Cassano [mailto:[EMAIL PROTECTED]] Sent: Friday, December 21, 2001 11:34 AM To: [EMAIL PROTECTED] Subject: RE: [PHP] Mommy, is it true that...? One thing that I do know is dangerous is deleting rows based on an integer field with an unprocessed value; Example: Delete row script <? if($delete && $id){ "delete from mytable where id = $id"; } ?> By simply appending an all inclusive sql clause. $id = "21421 or 1 = 1"; Ca-Boom! The entire table has been deleted. Don't you feel dumb! Instead process the input. $id = abs($id); -----Original Message----- From: Bogdan Stancescu [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 20, 2001 5:40 PM To: [EMAIL PROTECTED] Subject: [PHP] Mommy, is it true that...? 2. Please enter your age: 25; drop database mysql Does this actually work? I've read at least a dozen articles telling people to get it in their blood not to trust users and addslashes to any king incoming data, as well as pass it as strings to mysql ("insert into person set age='$age'" instead of "insert into person set age =$age). So I decided I had to test this: I wrote the code exactly as in the example; I provided the exact dangerous input (well, to be honest, I tried a select instead of drop mysql). When I tried it, the presumably dangerous situation degraded into a trivial MySQL error. It went something like "You have an error near '; select 1+1'". Did you ever actually try this? Does it work on your system? Thanks in advance for the input! Bogdan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
