> > You can still use extract($_POST). > > It is as safe/vulernable as $_POST['isAdmin']. > > > > In either case, use only variables that you know are yours and be > certain > > these contain values which you believe to be safe. For instance, if you > expect > > a variable called $firstname to contain a name to be stored in a SQL > database, > > be certain it does not contain SQL commands which can damage your > database. > > > > Okay, I know I can use strip_tags() and/or htmlspecialchars() to strip out > or modify HTML and PHP code in a string, but, how does one do the same > with > MySQL code in a string to prevent tampering?
You pass a string or an number to your query. You have to make sure the data you're passing is a string, or a number. If you're expecting a number, and use a query like: WHERE id = $id Then make sure $id is a number. You can use is_int, or (int), or whatever. If you're passing a string WHERE username = '$name' Then make sure $name has all single quotes escaped within it. If all of them are escaped, then it's just a string and can't do any harm. If they aren't escaped, then the user can break out of your own SQL and put their own. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
