sean Thu Oct 28 10:25:51 2004 EDT
Modified files:
/phpdoc/en/security database.xml
Log:
- Fixed [some of the] grammar
- Changed recommendation of escape mechanism
http://cvs.php.net/diff.php/phpdoc/en/security/database.xml?r1=1.7&r2=1.8&ty=u
Index: phpdoc/en/security/database.xml
diff -u phpdoc/en/security/database.xml:1.7 phpdoc/en/security/database.xml:1.8
--- phpdoc/en/security/database.xml:1.7 Thu Sep 9 08:49:33 2004
+++ phpdoc/en/security/database.xml Thu Oct 28 10:25:50 2004
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="iso-8859-1"?>
-<!-- $Revision: 1.7 $ -->
+<!-- $Revision: 1.8 $ -->
<!-- splitted from ./index.xml, last change in rev 1.66 -->
<chapter id="security.database">
<title>Database Security</title>
@@ -412,11 +412,16 @@
</listitem>
<listitem>
<simpara>
- Quote each non numeric user input which is passed to the database with
- <function>addslashes</function> or <function>addcslashes</function>.
+ Quote each non numeric user supplied value that is passed to the
+ database with the database-specific string escape function (e.g.
+ <function>mysql_escape_string</function>,
+ <function>sql_escape_string</function>, etc.). If a database-specific
+ string escape mechanism is not available, the
+ <function>addslashes</function> and <function>str_replace</function>
+ functions may be useful (depending on database type).
See <link linkend="security.database.storage">the first example</link>.
- As the examples shows, quotes burnt into the static part of the query
- is not enough, and can be easily cracked.
+ As the example shows, adding quotes to the static part of the query
+ is not enough, making this query easily crackable.
</simpara>
</listitem>
<listitem>
