Hi all,
I know that addslahes( )is the PHP Answer (tm) for clever web hackers who want to subvert my db by setting their last name to:
Johnson'; INSERT INTO user (host, user, password) VALUES ('%', 'badguy', '')
However, I wonder if there are better ways of handling different types of data.
In particular, I've been using a lot of javascript functions to allow users to update and delete records based on the primary key field. Obviously, somebody could save the html, change it, and try to do bad stuff by inserting text into something I expected to be an integer (and therefore did not use single quotes in my SQL query)
So, for non-string data, I think there may be a better solution than addslashes: typecasting. For instance:
mysql_query("DELETE FROM stock WHERE inventory_id = " . (string) ((int)$inventory_id)) . " ", $mydbconnection)
What are the pros and cons of this method of data validation?
I know that addslahes( )is the PHP Answer (tm) for clever web hackers who want to subvert my db by setting their last name to:
Johnson'; INSERT INTO user (host, user, password) VALUES ('%', 'badguy', '')
However, I wonder if there are better ways of handling different types of data.
In particular, I've been using a lot of javascript functions to allow users to update and delete records based on the primary key field. Obviously, somebody could save the html, change it, and try to do bad stuff by inserting text into something I expected to be an integer (and therefore did not use single quotes in my SQL query)
So, for non-string data, I think there may be a better solution than addslashes: typecasting. For instance:
mysql_query("DELETE FROM stock WHERE inventory_id = " . (string) ((int)$inventory_id)) . " ", $mydbconnection)
What are the pros and cons of this method of data validation?