[K12OSN] Help with php / mysql
Henry Hartley
henryhartley at westat.com
Wed Feb 4 14:32:54 UTC 2009
Patrick Fleming wrote:
>>
>> Brian Chivers wrote:
>> > mysql_query(INSERT INTO stream (channel, starttime, title, description,
>> > genre, filename) VALUES
>> > ('$channel','$starttime','$title','$description','$genre','$filename'));
>>
>> even better -
>> $channel = addslashes($_POST['channel']);
>>
>> mysql_query(INSERT INTO stream (channel, starttime, title, description,
>> genre, filename) VALUES
>> ('$channel','$starttime','$title','$description','$genre','$filename'));
Or even better still:
$query = sprintf("INSERT
INTO (channel, starttime, title, description, genre, filename)
VALUES ( '%s', '%s', '%s', '%s', '%s', '%s' )"),
mysql_real_escape_string($channel),
mysql_real_escape_string($starttime),
mysql_real_escape_string($title),
mysql_real_escape_string($description),
mysql_real_escape_string($genre),
mysql_real_escape_string($filename'));
mysql_query($query);
Read this page:
http://us.php.net/manual/en/function.mysql-real-escape-string.php
If you aren't familiar with SQL Injection, you really (REALLY) need to read up on it. In particular, don't get the idea that only strings need to be managed. Here's a good place to start:
http://isc.sans.org/diary.html?storyid=5416
--
Henry
More information about the K12OSN
mailing list