[GLLUG] Retrieving a row from mysql
Szymon Machajewski
SMachaje at grcc.edu
Tue Feb 17 11:56:12 EST 2004
Jeremy,
I have to disagree with you on using the function always.
It will depend greatly on your database. What if you have a database
where you retrieve data not only with PHP, but with Crystal Reports and
other tools. What about the escape characters then ?
You will see on the ODBC report: O\'Brien
So generally if you control both input and output from the database and
you know it will be PHP retrieving data you could use the escape
function.
But most of all you always have to include data validation functions.
This will be not only to escape characters.
For example you should have a sql_safe() function where you would
define the escape characters you choose to use. Then you would use
$comments = sql_safe($comments) to reset each value before using in a
query.
What works sometimes is simply replacing single quotes with back ticks.
They look fine on the web page and in Crystal.
So there are no blanket solutions and there is always a trade off.
Sincerely,
Szymon Machajewski MCSD, CNA, MySQL Core
Grand Rapids Community College
Open Sourceror
>>> Jeremy Bowers <jerf at jerf.org> 2/17/2004 10:34:24 AM >>>
Shawn Paige wrote:
> query = mysql_query("SELECT * FROM " . $tablename . "
> WHERE name= '" . $name . "' AND accountnum= " .
> $accnum);
I figured somebody would mention this by now, but nobody has.
Never do this.
*Always* use mysql_real_escape_string around your parameters;
http://us2.php.net/manual/en/function.mysql-real-escape-string.php
There are two reasons. One, you may entirely accidentally end up
including active SQL characters in your $name variable; imagine someone
enters O'Brian. This sort of thing happens all the time and it's better
to prevent it.
Second, you open yourself up to SQL injection attacks; suppose someone
enters their name as "'; drop table [yourtablename];'"; MySQL may drop
your table. (Of course they can do other things, and depending on your
implementation may be able to acquire other information.
Even if you don't care about the second (trusted users only, etc.), in
my experience the first reason is reason enough to never directly
insert
strings into an SQL query. (You can directly insert numbers but only
after making *damned sure* they are numbers. This may be easier in PHP
then Perl, which is a little too friendly in the string<->number
converting.) You'll end up using an apostrophe sooner or later, usually
in a demo to somebody ;-)
I don't do PHP and am greatly surprised that PHP's mysql interface
doesn't seem to have a printf-like command like every other scripting
language I've seen. That lets you insert placeholders, pass in the
values, and let the library do the quoting, like this:
mysql_query("SELECT * FROM MyTable WHERE name = %s AND accountnum =
%s",
$name, $accountnum);
This is safe and relatively convenient.
_______________________________________________
linux-user mailing list
linux-user at egr.msu.edu
http://www.egr.msu.edu/mailman/listinfo/linux-user
More information about the linux-user
mailing list