It's called SQL Injection and yes it needs to be handled. Google it.
Neil
----- Original Message -----
From: "Clay Scott" <rudeboy@gci.net>
To: <aklug@aklug.org>
Sent: Tuesday, March 08, 2005 9:25 AM
Subject: mysql issue...
> for some reason a php/mysql script won't input values into a database if
there's an extended character present. simple characters like apostrophes,
colons, dashes, etc. the script uses this string for database input:
>
> mysql_query("INSERT INTO table (name, type, link) VALUES ('".
$_POST['name'] ."', 'type', '$link')");
>
> it works perffectly well as long as 'name' doesn't contain any of the
mentioned characters. if it does it seems the string is just lost
completely. those three fields are varchar(100), varchar(20) and
varchar(100) respectively so i know the characters are supported. i ran the
insert string manually in mysql and can add values into 'name' with the
characters fine.
>
> anything i should know about handling strings with these characters in
them that i obviously don't? is my problem that i need to somehow edit my
php to catch and escape these charaters somewhere along the line?
>
> thanks,
> ~clay
>
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.
>
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Tue Mar 8 10:22:25 2005
This archive was generated by hypermail 2.1.8 : Tue Mar 08 2005 - 10:22:26 AKST