[thelist] MySQL/PHP Associative Array Insert
Bill Haenel
mail at webmarketingworx.com
Sun Feb 2 00:02:01 CST 2003
> If there is any chance that a user may have control over the
> variables that are being passed to your queries, for example
> if they are being passed from a GET or POST request, make
> sure to escape any potentially dangerous characters ahead of time.
>
> The PHP documentation for mysql_escape_string():
http://www.php.net/manual/en/function.mysql-escape-string.php
Point taken. Careful, though, as it's easy to end up double escaping
with mysql_escape_string() if magic_quotes_gpc is on (which in my case
it is).
Since we were talking arrays in this thread, you could go quickly
through the values easily with:
<?
if (get_magic_quotes_gpc()) {
foreach ($item as $k=>$v) {
$item[$k] = mysql_escape_string($v);
}
}
?>
...or something like that.
I guess my point would be that this is important, and so it should be
done wisely: mysql_escape_string() should be used appropriately and when
necessary.
BH
More information about the thelist
mailing list