[nycphp-talk] why addslashes()? [PHP Vulnerability]
David Mintz
dmintz at davidmintz.org
Fri Dec 17 16:27:00 EST 2004
Isn't the main purpose of addslashes() to escape stuff for SQL query
purposes? In that case let's do our sanitization per normal, then use
parameterized SQL queries instead and forget addslashes().
On Fri, 17 Dec 2004, Daniel Convissor wrote:
> On Fri, Dec 17, 2004 at 04:11:48PM -0500, csnyder wrote:
>
> > Well gees -- you pass unsanitized user input to addslashes(), dontcha?
>
> Uh, no.
>
> If I expect something to be an integer, it better be an integer. If I
> had to accept a file name, it wouldn't be allowed to have double
> periods or slashes in it. I tend to check for length also. Etc...
---
David Mintz
http://davidmintz.org/
More information about the talk
mailing list