Re: [PHP] anti SQL injection method in php manual.

On 5/30/06, Richard Lynch <[EMAIL PROTECTED]> wrote: On Fri, May 26, 2006 10:39 am, Dotan Cohen wrote: > What is the purpose of the sprintf? If it were using %d on integers I > could see the point, but as we're talking about %s strings, what is > the advantage to using sprintf? None, really. >

Re: [PHP] anti SQL injection method in php manual.

On Fri, May 26, 2006 10:39 am, Dotan Cohen wrote: > What is the purpose of the sprintf? If it were using %d on integers I > could see the point, but as we're talking about %s strings, what is > the advantage to using sprintf? None, really. > How does this differ from: > $query = "SELECT * FROM us

Re: [PHP] anti SQL injection method in php manual.

On 5/26/06, Eric Butera <[EMAIL PROTECTED]> wrote: > > > What is the purpose of the sprintf? It's just a way of creating the string without escaping it with quotes to call the function over and over to keep it clean. Thanks. I think that I'll stick with the simpler code (to my eyes) and elimi

Re: [PHP] anti SQL injection method in php manual.

> > What is the purpose of the sprintf? It's just a way of creating the string without escaping it with quotes to call the function over and over to keep it clean. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] anti SQL injection method in php manual.

On 5/26/06, Satyam <[EMAIL PROTECTED]> wrote: The escaping of invalid characters is already included and beside, you can simplify your SQL statements such as the example (taken from the phpdocs header). echo BuildSql('Insert into ?ttable (?s,?ns,?mi,?d,?ni,?i)','Something','',5,time(),0,null);

Re: [PHP] anti SQL injection method in php manual.

- Original Message - From: "Dotan Cohen" <[EMAIL PROTECTED]> To: "Satyam" <[EMAIL PROTECTED]> Cc: "PHP General (E-mail)" Sent: Friday, May 26, 2006 6:36 PM Subject: Re: [PHP] anti SQL injection method in php manual. On 5/26/06, Satyam

Re: [PHP] anti SQL injection method in php manual.

On 5/26/06, Satyam <[EMAIL PROTECTED]> wrote: - Original Message - From: "Dotan Cohen" <[EMAIL PROTECTED]> > // Make a safe query > $query = sprintf("SELECT * FROM users WHERE user=%s AND password=%s", > quote_smart($_POST['username']), > quote_smart($_POST['password

Re: [PHP] anti SQL injection method in php manual.

On 5/26/06, Brad Bonkoski <[EMAIL PROTECTED]> wrote: Dotan Cohen wrote: > In the php manual: > http://www.php.net/manual/en/function.mysql-real-escape-string.php > > The following method is suggested: > // Quote variable to make safe > function quote_smart($value) > { > // Stripslashes >

Re: [PHP] anti SQL injection method in php manual.

- Original Message - From: "Dotan Cohen" <[EMAIL PROTECTED]> // Make a safe query $query = sprintf("SELECT * FROM users WHERE user=%s AND password=%s", quote_smart($_POST['username']), quote_smart($_POST['password'])); mysql_query($query); ?> What is the purpose o

Re: [PHP] anti SQL injection method in php manual.

Dotan Cohen wrote: In the php manual: http://www.php.net/manual/en/function.mysql-real-escape-string.php The following method is suggested: What is the purpose of the sprintf? If it were using %d on integers I could see the point, but as we're talking about %s strings, what is the advantage