Am 20.09.2011 01:23, schrieb Dotan Cohen:
> On Tue, Sep 20, 2011 at 01:48, Reindl Harald wrote:
>> i would use a samll class holding the db-connection with
>> insert/update-methods
>> pass the whole record-array, lokk what field types are used in the table
>> and use intval(), doubleval() or my
On Tue, Sep 20, 2011 at 01:48, Reindl Harald wrote:
> i would use a samll class holding the db-connection with insert/update-methods
> pass the whole record-array, lokk what field types are used in the table
> and use intval(), doubleval() or mysql_real_escape-String
>
By the way, the database co
On Tue, Sep 20, 2011 at 01:48, Reindl Harald wrote:
> i would use a samll class holding the db-connection with insert/update-methods
> pass the whole record-array, lokk what field types are used in the table
> and use intval(), doubleval() or mysql_real_escape-String
>
> so you never write "insert
On Tue, Sep 20, 2011 at 02:09, Hank wrote:
>>
>> I want to be sure that all variables in the query are escaped. I don't
>> trust myself or anyone else to do this to every variable right before
>> the query:
>> $someVar=mysql_real_escape_string($someVar);
>>
>
> But you're doing exactly that right
>
>
> I want to be sure that all variables in the query are escaped. I don't
> trust myself or anyone else to do this to every variable right before
> the query:
> $someVar=mysql_real_escape_string($someVar);
>
>
But you're doing exactly that right before the query anyway with:
$M[username]=mysql_
Am 20.09.2011 00:39, schrieb Dotan Cohen:
> On Tue, Sep 20, 2011 at 01:11, Hank wrote:
>> Best of both worlds:
>>> $username=$_POST['username'];
>>> // do some stuff with username here
>>> $M=array(); // Array of things to be inserted into MySQL
>>> $M[username]=mysql_real_escape_string($userna
On Tue, Sep 20, 2011 at 01:11, Hank wrote:
> Best of both worlds:
>> $username=$_POST['username'];
>> // do some stuff with username here
>> $M=array(); // Array of things to be inserted into MySQL
>> $M[username]=mysql_real_escape_string($username); // Everything that
>> goes into $M is escaped
Best of both worlds:
> $username=$_POST['username'];
> // do some stuff with username here
> $M=array(); // Array of things to be inserted into MySQL
> $M[username]=mysql_real_escape_string($username); // Everything that
> goes into $M is escaped
> $query="INSERT INTO table (username) VALUES ('{$M
On Mon, Sep 19, 2011 at 18:11, Reindl Harald wrote:
> it is not because it is clear that it is sanitized instead hope and pray
> thousands of layers somewhere else did it - for a inline-query the best
> solution, if you are using a framework you will never have the "insert into"
> at this place!
>
Am 19.09.2011 16:55, schrieb Hank:
>>
>> what ugly style - if it is not numeric and you throw it to the database
>> you are one of the many with a sql-injection because if you are get
>> ivalid values until there you have done no sanitize before and do not here
>>
>>
> It's a matter of opinion.
>
> what ugly style - if it is not numeric and you throw it to the database
> you are one of the many with a sql-injection because if you are get
> ivalid values until there you have done no sanitize before and do not here
>
>
It's a matter of opinion. I never said the data wasn't sanitized (it is
On Mon, Sep 19, 2011 at 07:47, Reindl Harald wrote:
> what ugly style - if it is not numeric and you throw it to the database
> you are one of the many with a sql-injection because if you are get
> ivalid values until there you have done no sanitize before and do not here
>
> $sql="INSERT into tab
On Mon, Sep 19, 2011 at 04:00, Hank wrote:
> I agree with Brandon's suggestions, I would just add when using numeric
> types in PHP statements where you have a variable replacement, for instance:
>
> $sql="INSERT into table VALUES ('$id','$val')";
>
> where $id is a numeric variable in PHP and a n
Am 19.09.2011 03:00, schrieb Hank:
> I agree with Brandon's suggestions, I would just add when using numeric
> types in PHP statements where you have a variable replacement, for instance:
>
> $sql="INSERT into table VALUES ('$id','$val')";
>
> where $id is a numeric variable in PHP and a numeri
On Sun, Sep 18, 2011 at 12:28 PM, Dotan Cohen wrote:
> On Sun, Sep 18, 2011 at 17:44, Brandon Phelps wrote:
> > Personally I don't use any quotes for the numeric types, and single
> quotes
> > for everything else. Ie:
> >
>
> Thanks, Brandon. I understand then that quote type is a matter of
> t
On Sun, Sep 18, 2011 at 17:44, Brandon Phelps wrote:
> Personally I don't use any quotes for the numeric types, and single quotes
> for everything else. Ie:
>
Thanks, Brandon. I understand then that quote type is a matter of
taste. I always use double quotes in PHP and I've only recently
started
Personally I don't use any quotes for the numeric types, and single quotes for
everything else. Ie:
UPDATE mytable SET int_field = 5 WHERE id = 3;
SELECT id FROM mytable WHERE int_field = 5;
UPDATE mytable SET varchar_field = 'Test' WHERE id = 3;
SELECT id FROM mytable WHERE varchar_field = 'Te
17 matches
Mail list logo
