[K12OSN] Help with php / mysql

Brian Chivers brian at portsmouth-college.ac.uk
Wed Feb 4 20:15:16 UTC 2009 

Henry Hartley wrote:
> Patrick Fleming wrote:
>   
>>> Brian Chivers wrote:
>>>       
>>>> mysql_query(INSERT INTO stream (channel, starttime, title, description,
>>>> genre, filename) VALUES
>>>> ('$channel','$starttime','$title','$description','$genre','$filename'));
>>>>         
>>> even better -
>>> $channel = addslashes($_POST['channel']);
>>>
>>>  mysql_query(INSERT INTO stream (channel, starttime, title, description,
>>>  genre, filename) VALUES
>>> ('$channel','$starttime','$title','$description','$genre','$filename'));
>>>       
>
> Or even better still:
>
> $query = sprintf("INSERT
>         INTO (channel, starttime, title, description, genre, filename)
>         VALUES ( '%s', '%s', '%s', '%s', '%s', '%s' )"),
>                 mysql_real_escape_string($channel),
>             mysql_real_escape_string($starttime),
>             mysql_real_escape_string($title),
>             mysql_real_escape_string($description),
>             mysql_real_escape_string($genre),
>             mysql_real_escape_string($filename'));
>
> mysql_query($query);
>
> Read this page:
> http://us.php.net/manual/en/function.mysql-real-escape-string.php
>
> If you aren't familiar with SQL Injection, you really (REALLY) need to read up on it. In particular, don't get the idea that only strings need to be managed. Here's a good place to start:
>
> http://isc.sans.org/diary.html?storyid=5416
>
> --
> Henry
>
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
>   
After a bit of head scratching as to why this would work I figured out 
that you had deliberately left out the table to insert the data too so 
it should be

$insert_query = sprintf("INSERT INTO stream (channel, starttime, title, 
description, genre, filename) VALUES ('%s','%s','%s','%s','%s','%s')",
            mysql_real_escape_string($channel),
            mysql_real_escape_string($starttime),
            mysql_real_escape_string($title),
            mysql_real_escape_string($description),
            mysql_real_escape_string($genre),
            mysql_real_escape_string($filename));


Did I base the test :-)

Seriously thanks for this it works a treat.

Brian

------------------------------------------------------------------------------------------------
    The views expressed here are my own and not necessarily
 
                the views of Portsmouth College

More information about the K12OSN mailing list