Hi,
Doesn't sound like an OO issue, sounds like you're kiling the query
with the '. You should go thru and maybe do an str_replace( ', \',
$_POST['test'] ) on all your post variables.
-Dan Joseph
-Original Message-
From: Matthew Sims [mailto:[EMAIL PROTECTED]
Sent: Monday,
Hi,
Doesn't sound like an OO issue, sounds like you're kiling the query
with the '. You should go thru and maybe do an str_replace( ', \',
$_POST['test'] ) on all your post variables.
-Dan Joseph
Ha! That did it. Thanks!
--Matthew Sims
--http://killermookie.org
-Original
$query = 'INSERT into aeMail set test=\''.$_POST[test].'\'';
Your quotes look screwy to me. You seem to be missing both trailing single
quotes.
try this:
$query = 'INSERT into aeMail set test=\'''.$_POST[test].'\''';
At 01:07 PM 7/12/2004, Matthew Sims wrote:
PHP version 5.0.0RC3 (cgi) (built:
Your problem has nothing to do with the Objects (or really even PHP for
that matter). You're not supposed to run mysql_escape_string on an
entire query. Here's an example of its usage:
$sString = This string contains a single-quote (');
$sQuery = INSERT INTO mytable SET
Your problem has nothing to do with the Objects (or really even PHP for
that matter). You're not supposed to run mysql_escape_string on an
entire query.
Yup, you are correct, my bad.
So I ran my $_POST array into array_map before the injection:
$_POST = array_map(mysql_escape_string,$_POST);
Matthew Sims wrote:
Your problem has nothing to do with the Objects (or really even PHP for
that matter). You're not supposed to run mysql_escape_string on an
entire query.
So I ran my $_POST array into array_map before the injection:
$_POST = array_map(mysql_escape_string,$_POST);
And it all
6 matches
Mail list logo
