John Oliver wrote:
I know absolutely nothing about this. I've been banging around
various tutorials. Most just sort of skip over this. The closest I
came is:
http://www.freewebmasterhelp.com/tutorials/phpmysql/4
However, their example:
$query = "INSERT INTO contacts VALUES
('','$first','$last','$phone','$mobile','$fax','$e mail','$web')";
doesn't work, and got me a "Learn how to use SQL Injection" comment.
I need a tutorial that explains this stuff. I don't have the vaguest
clue what I'm doing, and when the tutorial assumes any pre-existing
knowledge, I get left behind pretty quickly.
The reason for the "Learn how to use SQL Injection" comments are
justified. If your server hosting has the magic_quotes_gpc setting in
PHP switched off, in addition to having register_globals switched on,
you'll be in trouble with the method above. Then I can delete your
entire address book by entering the following into one of the fields:
'); DELETE FROM contacts;
A better method would be something in the direction of the following:
<?php
// remove slashes for magic_quotes_gpc and injection attacks
$first = stripslashes($_REQUEST["first"]);
$last = stripslashes($_REQUEST["last"]);
$phone = stripslashes($_REQUEST["phone"]);
$mobile = stripslashes($_REQUEST["mobile"]);
$fax = stripslashes($_REQUEST["fax"]);
$email = stripslashes($_REQUEST["email"]);
$web = stripslashes($_REQUEST["web"]);
// the following code is all on one line
$query = "INSERT INTO contacts VALUES
'','".mysql_real_escape_string($first)."','".mysql _real_escape_string($l
ast)."','".mysql_real_escape_string($phone)."','". mysql_real_escape_stri
ng($mobile)."','".mysql_real_escape_string($fax)." ','".mysql_real_escape
_string($email)."','".mysql_real_escape_string($we b)."')";
// execute the MySQL statement
mysql_query($query);
?>
At least you'll be safer than using your original code. I know, it's a
lot more code, but it's also more secure.
Unfortunately, many tutorials out there teach the absolute simplest
way, which also teache the less secure methods.
--
Kim André Akerĝ
-
ki******@NOSPAMbetadome.com
(remove NOSPAM to contact me directly)