On Mon, February 18, 2008 10:19 pm, Bastien Koert wrote:
> mysql_real_escape_string()
Yes.
> addslashes()
No, not right for different charsets. See above.
> htmlentities()
Completely and wildly inappropriate.
Might as well use a cannon to slice a tomato.
--
Some people have a "gift" link he
On Mon, February 18, 2008 10:05 pm, nihilism machine wrote:
> I have a user saving a VARCHAR(255) field in a mysql db which has
> single quotes in the text, how can i replace them so that they dont
> fuck up my mysql command?
http://php.net/mysql_real_escape_string
Google for "SQL injection" for
I agree, but they all provide some level of handling just might not be the
'most correct' way of handling it
bastien> Subject: RE: [PHP] mysql input> From: [EMAIL PROTECTED]> To: [EMAIL
PROTECTED]> CC: [EMAIL PROTECTED]; php-general@lists.php.net> Date: Mon, 18
On Mon, 2008-02-18 at 23:19 -0500, Bastien Koert wrote:
> mysql_real_escape_string()
> addslashes()
> htmlentities()
>
> take your pick
That's a bad answer. If he's using MySQL then he SHOULD use
mysql_real_escape_string(). None of the other functions will fully
protect him from malicious input
mysql_real_escape_string()
addslashes()
htmlentities()
take your pick
bastien
> From: [EMAIL PROTECTED]> To: php-general@lists.php.net> Date: Mon, 18 Feb
> 2008 23:05:10 -0500> Subject: [PHP] mysql input> > I have a user saving a
> VARCHAR(255) field in a mys
On Mon, 2008-02-18 at 23:05 -0500, nihilism machine wrote:
> I have a user saving a VARCHAR(255) field in a mysql db which has
> single quotes in the text, how can i replace them so that they dont
> fuck up my mysql command?
mysql_real_escape_string()
Cheers,
Rob.
--
.--
I have a user saving a VARCHAR(255) field in a mysql db which has
single quotes in the text, how can i replace them so that they dont
fuck up my mysql command?
-e
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
7 matches
Mail list logo
