In response to your mail of Saturday 22 February 2003 at 21:20:29:
M> Actually, user supplied input from $_COOKIES, $_POST, and $_GET
M> comes slash-escaped, so if the user enters
M> ' or 1=1
M> as their input, the sql statement will look like
M> where some_int='\' or 1=1'
M> [..snip..]
M> function escape($input){
M> if (get_magic_quotes_gpc()) return $input;
M> return addslashes($input);
M> }
M> [..snip..]
Better still, always do this:
...WHERE id = ". intval($userinput) ." AND...
which doesn't rely on local configuration, magicquotes etc., and
resolves to (e.g.) "id = 0" when the $userinput is bad or missing.
In response to your mail of Saturday 22 February 2003 at 21:20:29:
M> Actually, user supplied input from $_COOKIES, $_POST, and $_GET
M> comes slash-escaped, so if the user enters
M> ' or 1=1
M> as their input, the sql statement will look like
M> where some_int='\' or 1=1'
M> [..snip..]
M> function escape($input){
M> if (get_magic_quotes_gpc()) return $input;
M> return addslashes($input);
M> }
M> [..snip..]
Better still, always do this:
...WHERE id = ". intval($userinput) ." AND...
which doesn't rely on local configuration, magicquotes etc., and
resolves to (e.g.) "id = 0" when the $userinput is bad or missing.
Safe, simple, portable and effective.
--
Best regards,
James.
[ reply ]