php + sql search

Dominic Mitchell dom at happygiraffe.net
Thu Oct 31 17:02:22 GMT 2002


On Thu, Oct 31, 2002 at 04:41:36PM +0000, Matthew Seaman wrote:
> On Thu, Oct 31, 2002 at 04:08:56PM +0000, Mark Fowler wrote:
> > On Thu, 31 Oct 2002, Robin Garbutt wrote:
> > 
> > > $result = mysql_query("SELECT * FROM db WHERE name LIKE '%$name%'", $db);
> > 
> > A side issue...Not that I really use PHP (tending to use a lot of Perl to
> > do that kind of thing) but don't you have to do something to protect $name
> > at this point instead of just string interpolating, in case someone puts in 
> > a "'" inside of it (in which case they can break your code/cause serious 
> > mischief.)
> 
> Yup.  That's what the addslashes() function does --- sanitize user
> input before using it in a SQL query.
> http://www.php.net/manual/en/function.addslashes.php

Hmmm, that won't necessarily work, though, will it?  My experience from
Perl's DBI has taught me that different databases have different quoting
requirements (eg: SQL Server uses doubled quotes rather than backslashed
ones).  Which is why it's better to ask the individual database function
to do the quoting for you.

    http://www.php.net/manual/en/function.mysql-escape-string.php

Was what I mentioned in private mail.  I've just noticed the sickening
magic_quotes_gpc option as well that auto quotes any input variables.
Yuck.

-Dom




More information about the Ukfreebsd mailing list