|
-
Oct 6th, 2009, 10:09 PM
#8
Re: Re-designing a flash site in (x)html
I am pretty sure you put this post in the wrong place. it's a good thing I decided to start reading this forum again!
anyway, you would be crazy to think you would be better off using PHP3 over, say, PHP5. even PHP4. magic_quotes_gpc provides a false security to SQL injection, and does encourage sloppy programming. the code you provided was evidence of that.
to "make code work" without magic_quotes_gpc, you simply need to be aware of the dangers of trusting your user's input. any untrustworthy data (no user's input is ever trustworthy -- so this means all input) needs to be sanitised before being used within an SQL query, for example. this counts for inserts, selects, updates, deletes. if you aren't up to adopting a database extension that uses prepared statements (like PDO or MySQLi), you can use the function mysql_real_escape_string() instead. eg.
PHP Code:
<?php
$data = "My name is 'Bob'!";
$data = mysql_real_escape_string($data);
$sql = "SELECT * FROM table WHERE data='$data'";
//without a call to mysql_real_escape_string(), this SQL query would fail because of the single quotes contained in $data.
?>
there isn't really much else to it.
Last edited by kows; Oct 6th, 2009 at 10:14 PM.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|
Reply With Quote