SQL injection
Posted: Mon Sep 08, 2008 6:30 am
Hello!
Please give me example about this:
What happened if I don't use ' around $new_num?
Why this is better?icq_num='$new_num'It should also be noted that escaping the data is a useless precaution unless you encapsulate ALL submitted fields in quotation marks, including suspected numeric data. MySQL does not force you to wrap your numbers in quotes, but it MUST be done to keep users from injecting code.
It is actually better to use option 2 anyway because MySQL takes longer to process unquoted arguments in some cases. A good example is when you do a search against a character field using a non-quoted number, much like the first example above (no idea why though).Code: Select all
$new_num = $_POST['new_num']; // SECURITY RISK mysql_query("UPDATE user_info SET icq_num=$new_num WHERE my_num=1"); // better mysql_query("UPDATE user_info SET icq_num='$new_num' WHERE my_num='1'");
This is correct as of MySQL 4.0.13.
Please give me example about this:
What happened if I don't use ' around $new_num?