No announcement yet.

Writing secure php.mysql

  • Filter
  • Time
  • Show
Clear All
new posts

  • Writing secure php.mysql

    Just wondering how much security is built into php.

    Like when you are doing an insert to the mysql database, say you INSERT INTO X (var,var2,var3) VALUES (x,y,$Z)

    what if there's a comman in $Z? I guess that would cause the command to fail? How about:

    INSERT INTO X (var,var2,var3) VALUES (x,y,"$Z")

    or do you need to embed $Z in htmlspecialcharacters?

  • #2
    I always use the following syntax in queries:

    INSERT INTO whatever SET whatever='$var', test='$var2';

    So variables are enclosed in single quotes - this would work with the syntax you're using as well.


    • #3
      Besides the visual aid of having the field name and value next to each other, why is that format superior to this:
      $query = "INSERT INTO X (var,var2,var3) VALUES ('$var', '$var2', '$var3')";


      • #4
        Yup, I like that visual aid, I thought that was only valid for updates to records but not for creating records. Yes, I like that much better, I wish all of vB was done that way.

        Cool, now I can tell what code came from you James

        I noticed that sytax somewhere just yesterday and said, whoa, what's that about?


        widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.