[nycphp-talk] Mysql question!
csnyder
chsnyder at gmail.com
Tue Oct 31 14:48:55 EST 2006
On 10/30/06, tuon1 at netzero.net <tuon1 at netzero.net> wrote:
> [...]
> //Add new customer to database
> function AddNewCustomer($FirstName, $LastName, $Address,
> $City, $State, $ZipCode,
> $AreaCode, $Phone, $Email,
> $WebsiteURL, $LoginName, $Password
> )
> {
> $query = 'INSERT INTO Customer_Info (FirstNameCol,
> LastNameCol, AddressCol, CityCol, StateCol,
> ZipCodeCol, AreaCodeCol, PhoneCol,
> EmailCol, WebsiteURLCol,
> LoginNameCol, PasswordCol
> )
> VALUES ("'. $FirstName . '", "' . $LastName . '",
> "' . $Address . '", "' . $City . '",
> "' . $State . '", "' . $ZipCode . '",
> "' . $AreaCode . '", "' . $Phone . '",
> "' . $Email . '",
> "' . $WebsiteURL . '", "' . $LoginName . '",
> "' . SHA1($Password) . '")';
> }
>
> Feel free to correct my code and give suggestions for better techniques.
>
Hi Paul,
You always need to escape each of the user submitted values in your
SQL, in order to prevent breakage and security vulnerabilities. The
mysql_real_escape_string() function is the recommended way to do this.
function dbEsc( $value ) {
return mysql_real_escape_string( $value );
}
function AddNewCustomer( $FirstName ) {
$query = 'INSERT INTO Customer_Info ( FirstNameCol )
VALUES ("'. dbEsc($FirstName) . '")';
return mysql_query($query);
}
This is one of the two fundamental rules of secure web programming
with php (the other being that you always escape output values using
htmlentities()).
--
Chris Snyder
http://chxo.com/
More information about the talk
mailing list