[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] Help with php / mysql



Henry Hartley wrote:
Patrick Fleming wrote:
Brian Chivers wrote:
mysql_query(INSERT INTO stream (channel, starttime, title, description,
genre, filename) VALUES
('$channel','$starttime','$title','$description','$genre','$filename'));
even better -
$channel = addslashes($_POST['channel']);

 mysql_query(INSERT INTO stream (channel, starttime, title, description,
 genre, filename) VALUES
('$channel','$starttime','$title','$description','$genre','$filename'));

Or even better still:

$query = sprintf("INSERT
        INTO (channel, starttime, title, description, genre, filename)
        VALUES ( '%s', '%s', '%s', '%s', '%s', '%s' )"),
                mysql_real_escape_string($channel),
            mysql_real_escape_string($starttime),
            mysql_real_escape_string($title),
            mysql_real_escape_string($description),
            mysql_real_escape_string($genre),
            mysql_real_escape_string($filename'));

mysql_query($query);

Read this page:
http://us.php.net/manual/en/function.mysql-real-escape-string.php

If you aren't familiar with SQL Injection, you really (REALLY) need to read up on it. In particular, don't get the idea that only strings need to be managed. Here's a good place to start:

http://isc.sans.org/diary.html?storyid=5416

--
Henry

_______________________________________________
K12OSN mailing list
K12OSN redhat com
https://www.redhat.com/mailman/listinfo/k12osn
For more info see <http://www.k12os.org>
After a bit of head scratching as to why this would work I figured out that you had deliberately left out the table to insert the data too so it should be

$insert_query = sprintf("INSERT INTO stream (channel, starttime, title, description, genre, filename) VALUES ('%s','%s','%s','%s','%s','%s')",
           mysql_real_escape_string($channel),
           mysql_real_escape_string($starttime),
           mysql_real_escape_string($title),
           mysql_real_escape_string($description),
           mysql_real_escape_string($genre),
           mysql_real_escape_string($filename));


Did I base the test :-)

Seriously thanks for this it works a treat.

Brian

------------------------------------------------------------------------------------------------
   The views expressed here are my own and not necessarily

the views of Portsmouth College
[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]