NYCPHP Meetup

[Daniel Convissor]

On Thu, Apr 24, 2008 at 07:34:50PM -0400, Austin Smith wrote:

> Further, I've long wanted to write a very simple set of flexible helper
> functions for PHP newbies so they don't blow their brains out with things
> like mysql_query("insert into blog_entries values(0, "{$_POST['title']}",
> "{$_POST['body']}");

Fortunately, you haven't done so yet and thereby introduce the world to 
another SQL Injection attack and path disclosure vulnerability. :)  You 
have to escape input into the query and ensure $_POST variables actually 
exist before using them to avoid PHP notices.

Of course, you can say you were just posting short hand.  But you were 
being pretty specific in your example.

--Dan

-- 
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
            data intensive web and database programming
                http://www.AnalysisAndSolutions.com/
 4015 7th Ave #4, Brooklyn NY 11232  v: 718-854-0335 f: 718-854-0409