In the case that your comparing a field to a field in the database (the
field name)
do you escape that or because it is hardcoded you dont need to?
My thoughts are that you need to escape all data going in.
Correct. A field name is not data though. You've already validated it
(somehow, either
On Aug 23, 2010, at 11:38 PM, Karl DeSaulniers wrote:
On Aug 23, 2010, at 10:35 PM, Chris wrote:
Just to make sure, cause I am ready to get past this.
Is this correct?
function confirmUP($username, $password){
/* Verify that user is in database */
$q = "SELECT password FROM ".TBL_USERS."
Got it. So only when I am going to diplay the result from the database.
I see.
Or email (or otherwise present it to the user), yes.
But for comparing $dbarray['password'] to $password, don't I have to
escape $password and then md5 it?
Right.
--
Postgresql & php tutorials
http://www.design
On Aug 23, 2010, at 10:35 PM, Chris wrote:
Just to make sure, cause I am ready to get past this.
Is this correct?
function confirmUP($username, $password){
/* Verify that user is in database */
$q = "SELECT password FROM ".TBL_USERS." WHERE username =
'".mysql_real_escape_string($username)."
Just to make sure, cause I am ready to get past this.
Is this correct?
function confirmUP($username, $password){
/* Verify that user is in database */
$q = "SELECT password FROM ".TBL_USERS." WHERE username =
'".mysql_real_escape_string($username)."'";
Perfect.
/* Retrieve password from res
On Aug 23, 2010, at 10:04 PM, Karl DeSaulniers wrote:
On Aug 23, 2010, at 9:31 PM, Chris wrote:
To be more specific. Is this correct?
function confirmUP($username, $password){
$username = mysql_real_escape_string($username);
/* Verify that user is in database */
$q = "SELECT password FROM
On Aug 23, 2010, at 9:31 PM, Chris wrote:
To be more specific. Is this correct?
function confirmUP($username, $password){
$username = mysql_real_escape_string($username);
/* Verify that user is in database */
$q = "SELECT password FROM TBL-U WHERE username = '$username'";
I normally do it
To be more specific. Is this correct?
function confirmUP($username, $password){
$username = mysql_real_escape_string($username);
/* Verify that user is in database */
$q = "SELECT password FROM TBL-U WHERE username = '$username'";
I normally do it in the query in case you use the variable so
On Aug 23, 2010, at 8:35 PM, Chris wrote:
You use mysql_real_escape_string for queries on the way in.
$query = "select * from table where
name='".mysql_real_escape_string($_POST['name'])."'";
You use htmlspecialchars on the way out:
$value = htmlspecialchars($row['name']);
--
Postgresql
You use mysql_real_escape_string for queries on the way in.
$query = "select * from table where
name='".mysql_real_escape_string($_POST['name'])."'";
You use htmlspecialchars on the way out:
$value = htmlspecialchars($row['name']);
--
Postgresql & php tutorials
http://www.designmagick.com/
On Aug 22, 2010, at 7:12 PM, Chris wrote:
On 20/08/10 08:05, Karl DeSaulniers wrote:
On Aug 19, 2010, at 4:44 PM, Karl DeSaulniers wrote:
On Aug 19, 2010, at 4:36 PM, Daevid Vincent wrote:
You should be using
http://us2.php.net/manual/en/function.mysql-escape-string.php
You don't need to
On 20/08/10 08:05, Karl DeSaulniers wrote:
On Aug 19, 2010, at 4:44 PM, Karl DeSaulniers wrote:
On Aug 19, 2010, at 4:36 PM, Daevid Vincent wrote:
You should be using
http://us2.php.net/manual/en/function.mysql-escape-string.php
You don't need to search with extra slashes for retrieval.
-
:
Subject: Re: [PHP-DB] Slashes or no slashes
On Aug 19, 2010, at 4:44 PM, Karl DeSaulniers wrote:
On Aug 19, 2010, at 4:36 PM, Daevid Vincent wrote:
You should be using
http://us2.php.net/manual/en/function.mysql-escape-string.php
You don't need to search with extra slashe
I think you should use prepared statements.
Kapu
--
From: "Karl DeSaulniers"
Sent: Friday, August 20, 2010 12:05 AM
To:
Subject: Re: [PHP-DB] Slashes or no slashes
On Aug 19, 2010, at 4:44 PM, Karl DeSaulniers wrote:
On Aug 19,
On Aug 19, 2010, at 4:44 PM, Karl DeSaulniers wrote:
On Aug 19, 2010, at 4:36 PM, Daevid Vincent wrote:
You should be using
http://us2.php.net/manual/en/function.mysql-escape-string.php
You don't need to search with extra slashes for retrieval.
-Original Message-
From: Karl DeSauln
On Aug 19, 2010, at 4:36 PM, Daevid Vincent wrote:
You should be using
http://us2.php.net/manual/en/function.mysql-escape-string.php
You don't need to search with extra slashes for retrieval.
-Original Message-
From: Karl DeSaulniers [mailto:k...@designdrumm.com]
Sent: Thursday, Augus
On Aug 19, 2010, at 4:36 PM, Daevid Vincent wrote:
You should be using
http://us2.php.net/manual/en/function.mysql-escape-string.php
You don't need to search with extra slashes for retrieval.
-Original Message-
From: Karl DeSaulniers [mailto:k...@designdrumm.com]
Sent: Thursday, Augu
You should be using
http://us2.php.net/manual/en/function.mysql-escape-string.php
You don't need to search with extra slashes for retrieval.
> -Original Message-
> From: Karl DeSaulniers [mailto:k...@designdrumm.com]
> Sent: Thursday, August 19, 2010 2:29 PM
> To: php-db@lists.php.net
>
18 matches
Mail list logo