RE: [PHP] PHP Security Leak (plaintext)

2002-04-25 Thread John Holmes
> $my_val_a = addslashes($HTTP_POST_VARS["val_a"]); > $my_val_b = addslashes($HTTP_POST_VARS["val_b"]); > $query = "INSERT INTO foo (a,b) VALUES ($my_val_a,$my_val_b)"; > > Or if you have magic_quotes_gpc turned on (the default) all vars passed > in from forms/cookies are quoted and SQL injection

RE: [PHP] PHP Security Leak (plaintext)

2002-04-25 Thread Richard Archer
At 4:00 PM -0500 25/4/02, Joshua b. Jore wrote: >"INSERT INTO foo (a,b) VALUES (?,?)" $my_val_a = addslashes($HTTP_POST_VARS["val_a"]); $my_val_b = addslashes($HTTP_POST_VARS["val_b"]); $query = "INSERT INTO foo (a,b) VALUES ($my_val_a,$my_val_b)"; Or if you have magic_quotes_gpc turned on (the

RE: [PHP] PHP Security Leak (plaintext)

2002-04-25 Thread John Holmes
> I think you misunderstood me. I already have a AuthenticateUser(TEXT,TEXT) > function that works great. What I don't understand is how to get PHP to > use place holders for data binding. This is more generic database issue. I > could have also written: > > "INSERT INTO foo (a,b) VALUES (?,?)" >

RE: [PHP] PHP Security Leak (plaintext)

2002-04-25 Thread Cal Evans
-- From: Joshua b. Jore [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 25, 2002 4:00 PM To: Maxim Maletsky (PHPBeginner.com) Cc: [EMAIL PROTECTED] Subject: RE: [PHP] PHP Security Leak (plaintext) Foo. Somehow I encrypted the last message. --[PinePGP]--

RE: [PHP] PHP Security Leak (plaintext)

2002-04-25 Thread Joshua b. Jore
Foo. Somehow I encrypted the last message. --[PinePGP]--[begin]-- I think you misunderstood me. I already have a AuthenticateUser(TEXT,TEXT) function that works great. What I don't understand is how to get PHP to use place holders for data binding.