[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: [K12OSN] Help with php / mysql



Patrick Fleming wrote:
>>
>> Brian Chivers wrote:
>> > mysql_query(INSERT INTO stream (channel, starttime, title, description,
>> > genre, filename) VALUES
>> > ('$channel','$starttime','$title','$description','$genre','$filename'));
>>
>> even better -
>> $channel = addslashes($_POST['channel']);
>>
>>  mysql_query(INSERT INTO stream (channel, starttime, title, description,
>>  genre, filename) VALUES
>> ('$channel','$starttime','$title','$description','$genre','$filename'));

Or even better still:

$query = sprintf("INSERT
        INTO (channel, starttime, title, description, genre, filename)
        VALUES ( '%s', '%s', '%s', '%s', '%s', '%s' )"),
                mysql_real_escape_string($channel),
            mysql_real_escape_string($starttime),
            mysql_real_escape_string($title),
            mysql_real_escape_string($description),
            mysql_real_escape_string($genre),
            mysql_real_escape_string($filename'));

mysql_query($query);

Read this page:
http://us.php.net/manual/en/function.mysql-real-escape-string.php

If you aren't familiar with SQL Injection, you really (REALLY) need to read up on it. In particular, don't get the idea that only strings need to be managed. Here's a good place to start:

http://isc.sans.org/diary.html?storyid=5416

--
Henry


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]