[nycphp-talk] php in securityfocus 218
David Mintz
dmintz at panix.com
Tue Oct 21 09:43:00 EDT 2003
On Tue, 21 Oct 2003, Chris Snyder wrote:
> <snip />
> So we can kill this thread, is it safe to say that three best practices
> here are:
>
> 1) always check user input to make sure it's the type and size of data
> that you expect
> 2) use mysql_real_escape_string() if possible, or addslashes() to escape
> any quotes in the data
Will the PEAR DB's quote($value) do as well, do ya think?
Also, if you use PEAR's prepare("select * from foo where bla = ?") and
execute($sth,array('Gack')), you get quoting/escaping automatically,
right?
> 3) always encapsulate field values in quotes in your queries
>
Yeah, I've read somewhere that it never hurts to quote even numeric field
value types. That's standard rather than MySQL-specific, no?
---
David Mintz
http://davidmintz.org/
Email: See http://dmintzweb.com/whitelist.php first!
"Anybody else got a problem with Webistics?"
Sopranos 24:17
More information about the talk
mailing list