Re: PHP/MySQL injection

On Tue, 26 Jul 2005 09:22:31 +0100, Colin McKinnon
<colin.deletethis@andthis.mms3.com> wrote:

>Willem-Jan wrote:
>
>> Im a newbee in PHP and MySQL. Im wondering if there is a standard
>> combination of functions u should use on variabels psoted by a form
>> before u add them to a database. Something like:
>>
>> $var = trim(addslashes($_POST['test']));
>
>mysql_escape_string()

 Yep, or use a library that emulates placeholders, despite MySQL (production
versions, anyway) not supporting them natively - ADOdb is my favourite. The
correct escaping is then done consistently by the library, saving you from
introducing a problem by the one time you forget to use mysql_escape_string().

-- 
Andy Hassall / <andy@andyh.co.uk> / <http://www.andyh.co.uk>
<http://www.andyhsoftware.co.uk/space> Space: disk usage analysis tool