Rich, Anything coming from a user should be escaped. I'd rather not run the risk of having control characters or other similar SQL injection tricks.
Either way - it's good to think ahead just in case anything you put into the database (i.e. strings with ' or " or other characters) won't show up with the extra slash there. -Dash You worry too much about your job. Stop it. You're not paid enough to worry. On Sat, 9 Nov 2002, Rich Gray wrote: > Erm.. isn't the addslashes() just needed to protect the SQL query? > > IMO the data in the db will not have any slashes embedded in normal > circumstances, so there is no reason to stripslashes() any data coming from > a database column... > > Rich > -----Original Message----- > From: Dash McElroy [mailto:dash.php@;westonefcu.org] > Sent: 08 November 2002 16:53 > To: 'Zeus'; [EMAIL PROTECTED] > Subject: RE: [PHP-WIN] mysql_fetch_array problem > > > Zeus, > > 2 notes: > > 1. Data you insert into a database should be addslashes($varname) first (or > another encoding) to protect against MySQL injection vulnerabilities. A nice > stripslashes($varname) on the way out gets rid of the slashes. You could > also use urlencode($varname) and urldecode($varname). Helpful for storing > URL's. > > 2. mysql_fetch_array > (http://www.php.net/manual/en/function.mysql-fetch-array.php) is nowhere to > be found in your code. You're using mysql_fetch_field... > > Either way, this is what I do: > > $result = mysql_query("SELECT * FROM shoutbox BY ID desc LIMIT 5"); > $count = mysql_num_rows($result); > > if ($count > 0) { > for ($i=0;$i<$count;$i++) { > $row = mysql_fetch_array($result); > echo $row['time'] ."<br />".$row['name']."<br > />".$row['message']."<br />\n"; > } > } > elseif ($count == 0) { > echo "No results returned"; > } > else { > echo "Invalid Query. MySQL error: ".mysql_error(); > } > > Please note - this code is off the top of my head, I have not actually tried > it :) > > -Dash > > -----Original Message----- > From: Zeus [mailto:zeus_dreamer@;myrealbox.com] > Sent: Saturday, November 09, 2002 4:29 AM > To: [EMAIL PROTECTED] > Subject: [PHP-WIN] mysql_fetch_array problem > > > I try to display mysql database using fetch_array but there seem to problem, > i m new with PHP and mysql. > I didn't quite sure, what's worng with my codes.i havent include the form > yet. > > the error messages: > Warning: mysql_fetch_field(): supplied argument is not a valid MySQL result > resource in c:\apache\htdocs\zeus\shoutbox.php on line 17 > > > code in shoutbox.php: > > <?PHP > > mysql_connect('localhost', 'zeus', 'pass') or die ("deadconnect"); > mysql_select_db('zeussama_db') or die ("no db"); > > if($submit) > { > $time=date("h:ia d/j/y"); > $result=mysql_query("INSERT INTO shoutbox (id,name,message,time)","values > ('NULL','$name','$message','$time')"); > } > ?> > > > <?php > $result = mysql_query("SELECT * FROM shoutbox BY ID desc LIMIT 5"); > while($r=mysql_fetch_field($result)) > { > $time=$r["time"]; > $id=$r["id"]; > $message=$r["message"]; > $name=$r["name"]; > > echo "$time <br>"; > echo "$name <br>"; > echo "$message <br>"; > } > ?> > > ================================ > :.zeus:. > http://www.redrival.com/zeussama > > > -- > PHP Windows Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- > PHP Windows Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > --- > Incoming mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.404 / Virus Database: 228 - Release Date: 15/10/2002 > > > -- > PHP Windows Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP Windows Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
