Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    Regular Coder
    Join Date
    Apr 2010
    Posts
    417
    Thanks
    4
    Thanked 1 Time in 1 Post

    problem inserting $_SESSION data that contains a '

    without having to create a new variable for each of the SESSION variables how should I change the following example to securly insert data?

    the $requestID and $datetime_added were already made safe using mysql_real_escape_string, it is the session data that I am not sure about.



    Code:
    $addRequest = mysql_query("INSERT INTO requests (`request_id`, `datetime_added`, `customer_name`, `customer_email`) VALUES ('$requestID', '$datetime_added', '{$_SESSION['customerName']}', '{$_SESSION['customerEmail']}')");

    just tried to use a foreach on each SESSION variable but this causes problems with other session variables not to used in the storing of data in mysql and there are to many to filter out, and to many session variable to create a new variable ($variablename) for each.
    Last edited by jasonpc1; 04-14-2011 at 06:04 PM.

  • #2
    New Coder
    Join Date
    Apr 2011
    Posts
    36
    Thanks
    0
    Thanked 3 Times in 3 Posts
    Why not use mysql_real_escape_string on the session variables also? IMO - It should be done to all variables before they are inserted just to add an extra layer of security, even if they were previously stored in the database.

  • #3
    Regular Coder
    Join Date
    Apr 2011
    Posts
    286
    Thanks
    2
    Thanked 39 Times in 39 Posts
    Either you need to do like munkeyboy said, and escape the variables before passing it into the query by either doing it inline, or creating a new variable.

    Or you can validate each variable before executing the query by checking if a lone single quote(') without an escape(\) is in the string (if you are enclosing the string in single quotes).

    Though really you should be validating each user input before you pass it into the SESSION variables, and still escaping it before putting it into the query.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •