[thelist] [Easy as Pie] Working with a Database

Jon Hughes hughesj at firemtn.com
Fri Jan 18 17:18:50 CST 2008


Again, thank you for your comments, I sincerely appreciate the time you
took to look over my code.

I have a feeling my PHP skills are rusier than yours, but I know of no
better place to ask for help than this very list, so if anyone is
listening and knows a better way, please chime in!

 - Jon

> -----Original Message-----
> From: thelist-bounces at lists.evolt.org [mailto:thelist-
> bounces at lists.evolt.org] On Behalf Of David Dorward
> Sent: Friday, January 18, 2008 3:10 PM
> To: thelist at lists.evolt.org
> Subject: Re: [thelist] [Easy as Pie] Working with a Database
> 
> 
> On 18 Jan 2008, at 23:04, Jon Hughes wrote:
> > I'm not seeing where I am vuln. To XSS, as I am using htmlentities
on
> > the output,
> 
> Not in every case that you output data entered by the user (and
> shouldn't you be using htmlspecialchars[1]?)
> 
> > but I did in fact forget to escape the input to the database
> > - http://us.php.net/addslashes is the preferred method, right?
> 
> No, mysql_real_escape_string is (if you're working with MySQL at
> least).
> 
> (And that function name does a good job of summing up my number one
> gripe with PHP)
> 
> [1] Note that my PHP skills are decidedly rusty, you should probably
> check my suggestions of how to fix the holes in your code with a more
> reliable source.
> 
> --
> David Dorward
> http://dorward.me.uk/
> http://blog.dorward.me.uk/
> 
> 
> --
> 
> * * Please support the community that supports you.  * *
> http://evolt.org/help_support_evolt/
> 
> For unsubscribe and other options, including the Tip Harvester
> and archives of thelist go to: http://lists.evolt.org
> Workers of the Web, evolt !



More information about the thelist mailing list