Jump to content

Good example?


eduard
 Share

Recommended Posts

That article is OK for learning basics but there are things that aren't right. First of all, they mentioned "Netscape" which means this is a very old article. The second problem is that they're using register_globals instead of the $_GET array to access input variables.Another problem is that they're not sanitizing data before putting it into a query, which means that visitors to your site can mess up the database.

Link to comment
Share on other sites

That article is OK for learning basics but there are things that aren't right. First of all, they mentioned "Netscape" which means this is a very old article. The second problem is that they're using register_globals instead of the $_GET array to access input variables.Another problem is that they're not sanitizing data before putting it into a query, which means that visitors to your site can mess up the database.
Many thanks!Could you explain: ´sanitizing data´ please?
Link to comment
Share on other sites

When you're doing an SQL query, you put data into it that was given to you by a user. If the user is smart, they can mess up your database. If they aren't smart, there is still a chance that the site has an error when trying to make a query. For example in this code:

<?php$username = $_GET['username']; $query = mysql_query("SELECT * FROM users WHERE username='{$username}' ");?>

If a user decides to send "O'Reilly" as an input, the query will work wrong because of the apostrophe. Here is how the query would look: SELECT * FROM users WHERE username='O'Reilly'In order to solve this problem, we do something called "sanitizing" which turns the string into something that won't mess up the query.To sanitize with the mysql extension we use mysql_real_escape_string():

<?php$username = mysql_real_escape_string($_GET['username']);$query = mysql_query("SELECT * FROM users WHERE username='{$username}' ");?>

The sanitised string looks like this: SELECT * FROM users WHERE username='O\'Reilly'

Link to comment
Share on other sites

When you're doing an SQL query, you put data into it that was given to you by a user. If the user is smart, they can mess up your database. If they aren't smart, there is still a chance that the site has an error when trying to make a query. For example in this code:
<?php$username = $_GET['username']; $query = mysql_query("SELECT * FROM users WHERE username='{$username}' ");?>

If a user decides to send "O'Reilly" as an input, the query will work wrong because of the apostrophe. Here is how the query would look: SELECT * FROM users WHERE username='O'Reilly'In order to solve this problem, we do something called "sanitizing" which turns the string into something that won't mess up the query.To sanitize with the mysql extension we use mysql_real_escape_string():

<?php$username = mysql_real_escape_string($_GET['username']);$query = mysql_query("SELECT * FROM users WHERE username='{$username}' ");?>

The sanitised string looks like this: SELECT * FROM users WHERE username='O\'Reilly'

Ok, thanks very much!
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...