Am 20.09.2011 01:23, schrieb Dotan Cohen:
> On Tue, Sep 20, 2011 at 01:48, Reindl Harald wrote:
>> i would use a samll class holding the db-connection with
>> insert/update-methods
>> pass the whole record-array, lokk what field types are used in the table
>> and use intval(), doubleval() or my
On Tue, Sep 20, 2011 at 01:48, Reindl Harald wrote:
> i would use a samll class holding the db-connection with insert/update-methods
> pass the whole record-array, lokk what field types are used in the table
> and use intval(), doubleval() or mysql_real_escape-String
>
By the way, the database co
On Tue, Sep 20, 2011 at 01:48, Reindl Harald wrote:
> i would use a samll class holding the db-connection with insert/update-methods
> pass the whole record-array, lokk what field types are used in the table
> and use intval(), doubleval() or mysql_real_escape-String
>
> so you never write "insert
On Tue, Sep 20, 2011 at 02:09, Hank wrote:
>>
>> I want to be sure that all variables in the query are escaped. I don't
>> trust myself or anyone else to do this to every variable right before
>> the query:
>> $someVar=mysql_real_escape_string($someVar);
>>
>
> But you're doing exactly that right
>
>
> I want to be sure that all variables in the query are escaped. I don't
> trust myself or anyone else to do this to every variable right before
> the query:
> $someVar=mysql_real_escape_string($someVar);
>
>
But you're doing exactly that right before the query anyway with:
$M[username]=mysql_
Am 20.09.2011 00:39, schrieb Dotan Cohen:
> On Tue, Sep 20, 2011 at 01:11, Hank wrote:
>> Best of both worlds:
>>> $username=$_POST['username'];
>>> // do some stuff with username here
>>> $M=array(); // Array of things to be inserted into MySQL
>>> $M[username]=mysql_real_escape_string($userna
On Tue, Sep 20, 2011 at 01:11, Hank wrote:
> Best of both worlds:
>> $username=$_POST['username'];
>> // do some stuff with username here
>> $M=array(); // Array of things to be inserted into MySQL
>> $M[username]=mysql_real_escape_string($username); // Everything that
>> goes into $M is escaped
Best of both worlds:
> $username=$_POST['username'];
> // do some stuff with username here
> $M=array(); // Array of things to be inserted into MySQL
> $M[username]=mysql_real_escape_string($username); // Everything that
> goes into $M is escaped
> $query="INSERT INTO table (username) VALUES ('{$M
On Mon, Sep 19, 2011 at 18:11, Reindl Harald wrote:
> it is not because it is clear that it is sanitized instead hope and pray
> thousands of layers somewhere else did it - for a inline-query the best
> solution, if you are using a framework you will never have the "insert into"
> at this place!
>
Am 19.09.2011 16:55, schrieb Hank:
>>
>> what ugly style - if it is not numeric and you throw it to the database
>> you are one of the many with a sql-injection because if you are get
>> ivalid values until there you have done no sanitize before and do not here
>>
>>
> It's a matter of opinion.
>
> what ugly style - if it is not numeric and you throw it to the database
> you are one of the many with a sql-injection because if you are get
> ivalid values until there you have done no sanitize before and do not here
>
>
It's a matter of opinion. I never said the data wasn't sanitized (it is
On Mon, Sep 19, 2011 at 07:47, Reindl Harald wrote:
> what ugly style - if it is not numeric and you throw it to the database
> you are one of the many with a sql-injection because if you are get
> ivalid values until there you have done no sanitize before and do not here
>
> $sql="INSERT into tab
On Mon, Sep 19, 2011 at 04:00, Hank wrote:
> I agree with Brandon's suggestions, I would just add when using numeric
> types in PHP statements where you have a variable replacement, for instance:
>
> $sql="INSERT into table VALUES ('$id','$val')";
>
> where $id is a numeric variable in PHP and a n
Am 19.09.2011 03:00, schrieb Hank:
> I agree with Brandon's suggestions, I would just add when using numeric
> types in PHP statements where you have a variable replacement, for instance:
>
> $sql="INSERT into table VALUES ('$id','$val')";
>
> where $id is a numeric variable in PHP and a numeri
On Sun, Sep 18, 2011 at 12:28 PM, Dotan Cohen wrote:
> On Sun, Sep 18, 2011 at 17:44, Brandon Phelps wrote:
> > Personally I don't use any quotes for the numeric types, and single
> quotes
> > for everything else. Ie:
> >
>
> Thanks, Brandon. I understand then that quote type is a matter of
> t
On Sun, Sep 18, 2011 at 17:44, Brandon Phelps wrote:
> Personally I don't use any quotes for the numeric types, and single quotes
> for everything else. Ie:
>
Thanks, Brandon. I understand then that quote type is a matter of
taste. I always use double quotes in PHP and I've only recently
started
Personally I don't use any quotes for the numeric types, and single quotes for
everything else. Ie:
UPDATE mytable SET int_field = 5 WHERE id = 3;
SELECT id FROM mytable WHERE int_field = 5;
UPDATE mytable SET varchar_field = 'Test' WHERE id = 3;
SELECT id FROM mytable WHERE varchar_field = 'Te
Kim Kohen <[EMAIL PROTECTED]> wrote:
>
> I have a bit of a problem with some characters I'm loading from a Filemaker
> Pro database. The single quotes are stored in MySQL as ASCII character 155
> (an 'O' with a tilde over it). I have tried everything I can think of to
> replace this with the PHP I
At 15:58 +1000 20-10-2003, Kim Kohen wrote:
Hello all
I have a bit of a problem with some characters I'm loading from a Filemaker
Pro database. The single quotes are stored in MySQL as ASCII character 155
(an 'O' with a tilde over it). I have tried everything I can think of to
replace this with th
Sorry bout the blank one.
try this
Jim Lucas
- Original Message -
From: "Gregory Jon Welling/Parts Trading Inc." <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, October 24, 2001 10:38 AM
Subject: quotes
> This is more of a php problem than mysql, but since I am using them
- Original Message -
From: "Gregory Jon Welling/Parts Trading Inc." <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, October 24, 2001 10:38 AM
Subject: quotes
> This is more of a php problem than mysql, but since I am using them in
> combo...
>
> I have a database for people
Gregory,
This is a PHP question, really, but...
If you just echo the $companyname variable, you don't need double quotes around it:
If that is not what you are actually doing, give us the real code you are usign with
$companyname in it, and we'll take it from there.
At 19:38 2001-10-24 +0200
22 matches
Mail list logo
