variable passing
Moderator: General Moderators
variable passing
Do ALL variables at least need to be passed through mysql_real_escape_string, even if they client side user doesn't know their passing a variable.
For example, deleting a picture sends the id number of a picture to be deleted. Should this be passed through mysql_real_escape_string?
I'm having trouble knowing which variables need to be "purified" before being processed by PHP or MySQL.
For example, deleting a picture sends the id number of a picture to be deleted. Should this be passed through mysql_real_escape_string?
I'm having trouble knowing which variables need to be "purified" before being processed by PHP or MySQL.
Okay quick question
since I have all of my variables already set, and didn't code much security when I first coded, what if I name the new secure variable the same name as the old variable.. will it take precedence over the old?
For Example:
Which will take precedence?
Because if I have to rename all of my variables... well let's just say it'd take a long time.
since I have all of my variables already set, and didn't code much security when I first coded, what if I name the new secure variable the same name as the old variable.. will it take precedence over the old?
For Example:
Code: Select all
$variable = mysql_real_escape_string(strip_tags($variable));
// code containing a bunch of $variable here //Because if I have to rename all of my variables... well let's just say it'd take a long time.
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
Not sure what you just said.. $variable
but
is now "clean"
but
Code: Select all
$variable = mysql_real_escape_string(strip_tags($variable));- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact: