> $my_val_a = addslashes($HTTP_POST_VARS["val_a"]); > $my_val_b = addslashes($HTTP_POST_VARS["val_b"]); > $query = "INSERT INTO foo (a,b) VALUES ($my_val_a,$my_val_b)"; > > Or if you have magic_quotes_gpc turned on (the default) all vars passed > in from forms/cookies are quoted and SQL injection is not possible.
Actually, this way you are not doing anything. By the format of your INSERT statement, you are assuming that $my_val_a and $my_val_b are numbers, since there are no quotes around them. Therefore addslashes() does nothing to prevent the user from putting a value like --> 12,'bad value')# <-- into $my_val_a and putting a bad value into the second column. Now if you validate that the two are numbers, then you won't have this problem. And if you are validating a string, yes then use addslashes(), and the # won't be able to act as a comment, then. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
