[nycphp-talk] using unpack in form reading
David Sklar
sklar at sklar.com
Wed Feb 11 13:00:21 EST 2004
> i have not seen it but can unpack be used to prevent sql injections?
>
> i tend to have strict fixed length for my stuff and have noticed if i
> do an unpack on an incoming variable it seems safe:
>
> $id = array_shift(unpack("A2id", $_POST['id']));
>
> is this overkill?
Yes. unpack() doesn't buy you anything here that substr() doesn't. If
$_POST['id'] is "'" or ";'" then $id becomes "'" or ";'" -- there's no
encoding of special SQL chars.
David
More information about the talk
mailing list