Ken Do *not* use hidden form statements or cookies to store any SQL this is extremely dangerous and a relatively simple hack could destroy your database completely!
By all means use hidden form fields to store row ID values but your PHP scripts should treat all user input data via $_GET/$_POST/$_COOKIE/$_FILES as hostile and you should be rigorous in validating that data coming into your script is as you would expect... Having said that it seems your server has magic_quotes_gpc() switched on - this automatically escapes all incoming data that could upset a SQL query i.e. the quotes - you can remove them by using stripslashes() or switch off magic quotes in your php.ini file. But I would repeat *don't* continue down the path you are going unless you like being hacked! HTH Rich -----Original Message----- From: Ken Nagorski [mailto:[EMAIL PROTECTED]] Sent: 23 November 2002 11:52 To: [EMAIL PROTECTED] Subject: [PHP] using cookies Hi there, I have never used cookies before, however I am trying to implement them to make things a little more secure. Rather than passing a sql statement via a hidden input tag I am setting a cookie. This works fine except that when I look at the sql after it is pulled from the cookie everything is escaped, for instance. SELECT * FROM inventory WHERE name='Watches' would become SELECT manufacturer FROM inventory WHERE name=\'Watches\' This is a problem cause trying to use preg_replace doesn't seem to work. I get an error saying that the delimeter must not be a \. What a bummer. I am a little stuck. I will take any suggestions. Maybe I am just going about things the wrong way. *** Shrug *** Thanks Ken -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
