php + sql search

Dominic Mitchell dom at
Thu Oct 31 17:02:22 GMT 2002

On Thu, Oct 31, 2002 at 04:41:36PM +0000, Matthew Seaman wrote:
> On Thu, Oct 31, 2002 at 04:08:56PM +0000, Mark Fowler wrote:
> > On Thu, 31 Oct 2002, Robin Garbutt wrote:
> > 
> > > $result = mysql_query("SELECT * FROM db WHERE name LIKE '%$name%'", $db);
> > 
> > A side issue...Not that I really use PHP (tending to use a lot of Perl to
> > do that kind of thing) but don't you have to do something to protect $name
> > at this point instead of just string interpolating, in case someone puts in 
> > a "'" inside of it (in which case they can break your code/cause serious 
> > mischief.)
> Yup.  That's what the addslashes() function does --- sanitize user
> input before using it in a SQL query.

Hmmm, that won't necessarily work, though, will it?  My experience from
Perl's DBI has taught me that different databases have different quoting
requirements (eg: SQL Server uses doubled quotes rather than backslashed
ones).  Which is why it's better to ask the individual database function
to do the quoting for you.

Was what I mentioned in private mail.  I've just noticed the sickening
magic_quotes_gpc option as well that auto quotes any input variables.


More information about the Ukfreebsd mailing list