php + sql search
Simon Dick
simond at irrelevant.org
Thu Oct 31 17:18:37 GMT 2002
On Thu, 2002-10-31 at 17:10, Simon Dick wrote:
> On Thu, 2002-10-31 at 16:41, Matthew Seaman wrote:
> > On Thu, Oct 31, 2002 at 04:08:56PM +0000, Mark Fowler wrote:
> > > On Thu, 31 Oct 2002, Robin Garbutt wrote:
> > >
> > > > $result = mysql_query("SELECT * FROM db WHERE name LIKE '%$name%'", $db);
> > >
> > > A side issue...Not that I really use PHP (tending to use a lot of Perl to
> > > do that kind of thing) but don't you have to do something to protect $name
> > > at this point instead of just string interpolating, in case someone puts in
> > > a "'" inside of it (in which case they can break your code/cause serious
> > > mischief.)
> >
> > Yup. That's what the addslashes() function does --- sanitize user
> > input before using it in a SQL query.
> > http://www.php.net/manual/en/function.addslashes.php
>
> If you use DB.php then quoteString() is far more suited for SQL stuff
> IMHO
Oh yes, and quite database independant as DB.php uses the same ideas as
DBI and makes things slightly more transparent thankfully.
--
Simon Dick simond at irrelevant.org
More information about the Ukfreebsd
mailing list