php + sql search

Matthew Seaman m.seaman at infracaninophile.co.uk
Thu Oct 31 16:41:36 GMT 2002


On Thu, Oct 31, 2002 at 04:08:56PM +0000, Mark Fowler wrote:
> On Thu, 31 Oct 2002, Robin Garbutt wrote:
> 
> > $result = mysql_query("SELECT * FROM db WHERE name LIKE '%$name%'", $db);
> 
> A side issue...Not that I really use PHP (tending to use a lot of Perl to
> do that kind of thing) but don't you have to do something to protect $name
> at this point instead of just string interpolating, in case someone puts in 
> a "'" inside of it (in which case they can break your code/cause serious 
> mischief.)

Yup.  That's what the addslashes() function does --- sanitize user
input before using it in a SQL query.
http://www.php.net/manual/en/function.addslashes.php

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
                                                      Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK




More information about the Ukfreebsd mailing list