php + sql search

Simon Dick simond at irrelevant.org
Thu Oct 31 17:10:48 GMT 2002


On Thu, 2002-10-31 at 16:41, Matthew Seaman wrote:
> On Thu, Oct 31, 2002 at 04:08:56PM +0000, Mark Fowler wrote:
> > On Thu, 31 Oct 2002, Robin Garbutt wrote:
> > 
> > > $result = mysql_query("SELECT * FROM db WHERE name LIKE '%$name%'", $db);
> > 
> > A side issue...Not that I really use PHP (tending to use a lot of Perl to
> > do that kind of thing) but don't you have to do something to protect $name
> > at this point instead of just string interpolating, in case someone puts in 
> > a "'" inside of it (in which case they can break your code/cause serious 
> > mischief.)
> 
> Yup.  That's what the addslashes() function does --- sanitize user
> input before using it in a SQL query.
> http://www.php.net/manual/en/function.addslashes.php

If you use DB.php then quoteString() is far more suited for SQL stuff
IMHO

-- 
Simon Dick					simond at irrelevant.org





More information about the Ukfreebsd mailing list