This isn't a Flash issue really. Depending on the installed version, php
defaults to a setting called magic quotes. This automatically escapes any
quotes received by an http request (either post or get methods) with a
backslash.
http://ar2.php.net/magic_quotes
You can disable that setting or remove the backslashes, check the link for
more info on that.
On a side note, I'd recommend not to construct the query on the flash side,
as it's much more problematic, security-wise. What about if someone posts
delete * from users to File.php?; Yes, you can try and validate the
querys, but it's already hard to properly validate the parameterized data in
a pre-build query hardcoded in a php script, let alone validating a whole
user supplied string as a sql query).
Cheers
Juan Pablo Califano
- Original Message -
From: Omar Fouad [EMAIL PROTECTED]
To: Flash Coders List flashcoders@chattyfig.figleaf.com
Sent: Friday, February 01, 2008 11:07 PM
Subject: [Flashcoders] LoadVars and SQL Query issue
I am doing an application where I'm writing some classes that sends queries
to a php file by using LoadVars.send().
var toSend:LoadVars = new LoadVars();
var myQuery:String = select * from users where Name = 'Omar Fouad' ;
toSend.query = myQuery; // tracesselect * from users where Name =
'Omar
Fouad'
toSend.send(File.php, _self, POST);
At this phase the php files receive the query and when I echo the query
string appears:
select * from users where Name = \'Omar Fouad\'
That's is how it is sent to the server so of course it shows an SQL error
because of the backslashes. Apparently it does not recognize the String
in
the String part of the query that is sent from Flash.
When I send a query for a Number like:
select ^ from users where id = 1
it queries the database without problems.
How can I solve this problem?
Thanks and Regards.
--
Omar M. Fouad - Digital Emotions
http://www.omarfouad.net
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
___
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
___
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders