Hello.
Suppose a bad user typed in input, with quotes and dots:
ООО "Тазики и Ромашки". Мы работаем как рабы That wonders if there are pitfalls, in terms of such phrases with quotes and dots, and how to avoid it?
Nicolas Chabanovsky ♦
38.2k 54 222 438
frank frank
451 2 22 49
- oneBefore entering into the database, you need to quota all the values from $ _REQUEST, $ COOKIE, $ _POST or $ _GET and no stones, even sand in the kidneys will not be! - Alex Kapustin
|
1 answer
before skidding into the database, do mysql_real_escape_string($_REQUEST['text']) .
On output, stripslashes(htmlspecialchars($text_from_base,ENT_QUOTES))
Maksym Prus Maksym Prus
2,829 9 nineteen
- those. it is more correct to write this: $ field_1 = mysql_real_escape_string ($ _ REQUEST ['$ field_1']); $ field_2 = mysql_real_escape_string ($ _ REQUEST ['$ field_2']); $ result = mysql_query ("INSERT INTO table (field_1, field_2) VALUES ('$ field_1', '$ field_2')"); $ field_1 = stripslashes (htmlspecialchars ($ field_1, ENT_QUOTES)); $ field_2 = stripslashes (htmlspecialchars ($ field_2, ENT_QUOTES)); $ query = "SELECT
field_1FROMtableWHEREfield_1= '$ field_1' ANDfield_2= '$ field_2' LIMIT 0.1"; $ sql = mysql_query ($ query); $ field_1 = $ sql [1]; $ field_2 = $ sql [2]; ? - frank - onewhen to bring - right. On output, stripslashes (htmlspecialchars ($ sql [1], ENT_QUOTES)); - Maksym Prus
- onefetch_array don't forget to do - Maksym Prus
|