mysql_query("update... simple question

#11

On Jan 6, 2:05*pm, Jerry Stuckle <jstuck... (AT) attglobal (DOT) net> wrote:

Quote:

On 1/6/2012 8:35 AM, Captain Paralytic wrote:

Paul, I know you were trying to be succinct in your posing, but your
example is very bad for security.

ALL strings need to use mysql_real_escape_string() to ensure characters
such as quotes (') (and others, depending on the charset) are handled
properly. *More importantly, it prevents SQL injection attacks.

Additionally, numeric values need to be verified that they actually are
numeric before inserting, again to prevent SQL injection attacks.

Oh I totally agree. But the point I was trying to make was that the
mess didn't have to be such a mess.

I assumed that he had already pre-processed the strings with
mysql_real_escape_string(). (OK, based on what we can see this is not
a likely scenario, but just how much re-writing can we go doing.)

Personally I almost always use the {} notation for double quoted
string expansion, but I wanted to invite the OP to see the
alternatives available.

Happy new year BTW.

#12

On 1/6/2012 9:59 AM, Captain Paralytic wrote:

Quote:

On Jan 6, 2:05 pm, Jerry Stuckle<jstuck... (AT) attglobal (DOT) net> wrote:
On 1/6/2012 8:35 AM, Captain Paralytic wrote:

Paul, I know you were trying to be succinct in your posing, but your
example is very bad for security.

ALL strings need to use mysql_real_escape_string() to ensure characters
such as quotes (') (and others, depending on the charset) are handled
properly. More importantly, it prevents SQL injection attacks.

Additionally, numeric values need to be verified that they actually are
numeric before inserting, again to prevent SQL injection attacks.

Oh I totally agree. But the point I was trying to make was that the
mess didn't have to be such a mess.

I assumed that he had already pre-processed the strings with
mysql_real_escape_string(). (OK, based on what we can see this is not
a likely scenario, but just how much re-writing can we go doing.)

Personally I almost always use the {} notation for double quoted
string expansion, but I wanted to invite the OP to see the
alternatives available.

Happy new year BTW.

Yup, I use {} syntax a lot also, and even heredoc where I can.
Sometimes I find printf() to be useful, but more often than not it
confuses the issue more than it helps.

And a very Happy New Year to you and yours, also!

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex (AT) attglobal (DOT) net
==================

#13

On Fri, 6 Jan 2012 06:59:06 -0800 (PST), Captain Paralytic
<paul_lautman (AT) yahoo (DOT) com> wrote:

Quote:

I assumed that he had already pre-processed the strings with
mysql_real_escape_string(). (OK, based on what we can see this is not
a likely scenario, but just how much re-writing can we go doing.)

Actaully yes. All variables were processed - except session vars since
these were loaded from the database and are not manipulated.

No need to rewrite anything. I only was asking about update syntax - I
had an incorrect understanding of it.

Mike

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

mysql_query("update... simple question

comp.databases.mysql comp.databases.mysql

Re: mysql_query("update... simple question - 01-06-2012 , 08:59 AM

Re: mysql_query("update... simple question - 01-06-2012 , 12:08 PM

Re: mysql_query("update... simple question - 01-06-2012 , 02:32 PM