On Thu, 2007-10-04 at 10:55 -0700, Warren Vail wrote: > Rob, > > Your opinion would have meant more had you offered a solution. The only > hole that I am aware of is the likelihood that the imbedded query could get > executed accidentally later. > > If the database is mysql, there is finally a mysql function for filtering > and mysql_real_escape_string(), if I am not mistaken, should render attempts > to store SQL in the database harmless. For other databases, you should look > for something specific, but for the problem you described, addslashes() > should work just fine. > > http://dev.mysql.com/tech-resources/articles/guide-to-php-security-ch3.pdf
Sorry... http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string Cheers, Rob. -- ........................................................... SwarmBuy.com - http://www.swarmbuy.com Leveraging the buying power of the masses! ........................................................... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
