[K12OSN] Help with php / mysql
Brian Chivers
brian at portsmouth-college.ac.uk
Wed Feb 4 20:15:16 UTC 2009
Henry Hartley wrote:
> Patrick Fleming wrote:
>
>>> Brian Chivers wrote:
>>>
>>>> mysql_query(INSERT INTO stream (channel, starttime, title, description,
>>>> genre, filename) VALUES
>>>> ('$channel','$starttime','$title','$description','$genre','$filename'));
>>>>
>>> even better -
>>> $channel = addslashes($_POST['channel']);
>>>
>>> mysql_query(INSERT INTO stream (channel, starttime, title, description,
>>> genre, filename) VALUES
>>> ('$channel','$starttime','$title','$description','$genre','$filename'));
>>>
>
> Or even better still:
>
> $query = sprintf("INSERT
> INTO (channel, starttime, title, description, genre, filename)
> VALUES ( '%s', '%s', '%s', '%s', '%s', '%s' )"),
> mysql_real_escape_string($channel),
> mysql_real_escape_string($starttime),
> mysql_real_escape_string($title),
> mysql_real_escape_string($description),
> mysql_real_escape_string($genre),
> mysql_real_escape_string($filename'));
>
> mysql_query($query);
>
> Read this page:
> http://us.php.net/manual/en/function.mysql-real-escape-string.php
>
> If you aren't familiar with SQL Injection, you really (REALLY) need to read up on it. In particular, don't get the idea that only strings need to be managed. Here's a good place to start:
>
> http://isc.sans.org/diary.html?storyid=5416
>
> --
> Henry
>
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
>
After a bit of head scratching as to why this would work I figured out
that you had deliberately left out the table to insert the data too so
it should be
$insert_query = sprintf("INSERT INTO stream (channel, starttime, title,
description, genre, filename) VALUES ('%s','%s','%s','%s','%s','%s')",
mysql_real_escape_string($channel),
mysql_real_escape_string($starttime),
mysql_real_escape_string($title),
mysql_real_escape_string($description),
mysql_real_escape_string($genre),
mysql_real_escape_string($filename));
Did I base the test :-)
Seriously thanks for this it works a treat.
Brian
------------------------------------------------------------------------------------------------
The views expressed here are my own and not necessarily
the views of Portsmouth College
More information about the K12OSN
mailing list