[prog] PHP script security
Wolfgang Petzold
petzold at villa-chaos.de
Tue Aug 19 08:21:59 EST 2003
Hi!
Cynthia Kiser, 18.08.03:
> Ahhhh. OK so AddSlashes is the PHP/mySQL equivalent of using bind
> variables [...]
Not as I read it. According to my PHP manual[1], the function addslashes
takes its argument and adds backslashes in front of certain characters: ',
", \ and NUL. No more. But this inhibits evil queries like Dan has been
describing one.
By the way: Would the effect of using AddSlashes be void if I used it --by
accident-- twice? (Like "Have I invoked AddSlashes yet? Hm, better if I
call it now...")
Cheers
Wolfgang
[1] I don't know any more where I got it from. It's a German one, and it's
signed "PHP-Dokumentationsgruppe" (PHP documentation group). Maybe I
got it directly from the PHP web site, but I can't tell right now.
More information about the Programming
mailing list