php + sql search
dom at happygiraffe.net
Thu Oct 31 17:02:22 GMT 2002
On Thu, Oct 31, 2002 at 04:41:36PM +0000, Matthew Seaman wrote:
> On Thu, Oct 31, 2002 at 04:08:56PM +0000, Mark Fowler wrote:
> > On Thu, 31 Oct 2002, Robin Garbutt wrote:
> > > $result = mysql_query("SELECT * FROM db WHERE name LIKE '%$name%'", $db);
> > A side issue...Not that I really use PHP (tending to use a lot of Perl to
> > do that kind of thing) but don't you have to do something to protect $name
> > at this point instead of just string interpolating, in case someone puts in
> > a "'" inside of it (in which case they can break your code/cause serious
> > mischief.)
> Yup. That's what the addslashes() function does --- sanitize user
> input before using it in a SQL query.
Hmmm, that won't necessarily work, though, will it? My experience from
Perl's DBI has taught me that different databases have different quoting
requirements (eg: SQL Server uses doubled quotes rather than backslashed
ones). Which is why it's better to ask the individual database function
to do the quoting for you.
Was what I mentioned in private mail. I've just noticed the sickening
magic_quotes_gpc option as well that auto quotes any input variables.
More information about the Ukfreebsd