Jump to content

Anyone

waynew

By waynew
in Miscellaneous

 Share

Recommended Posts

waynew Advanced Member

waynew

Posted
  • Author
Posted

And I hate mysql_real_escape_string.  people just throw it on everything and send it off to the database, as the answer to validation.  Someone entered in abcd instead of a phone number? who cares! we mysql_real_ecape_stringed it, it's all good!

 

Couldn't agree more.

 

LOL FU H4XORZ YOU CANT HAX MAH DATABA-WAIT WTF IS THIS SHIT

Link to comment
Share on other sites
Daniel0 Advanced Member

Daniel0

Posted
Posted

And I hate mysql_real_escape_string.  people just throw it on everything and send it off to the database, as the answer to validation.  Someone entered in abcd instead of a phone number? who cares! we mysql_real_ecape_stringed it, it's all good!

 

Pfft... who needs data integrity? That's just a fancy smart ass buzz word.

Link to comment
Share on other sites
waynew Advanced Member

waynew

Posted
  • Author
Posted

And I hate mysql_real_escape_string.  people just throw it on everything and send it off to the database, as the answer to validation.  Someone entered in abcd instead of a phone number? who cares! we mysql_real_ecape_stringed it, it's all good!

 

Pfft... who needs data integrity? That's just a fancy smart ass buzz word.

 

GARBAGE WAH?

Link to comment
Share on other sites
PugJr Regular Member

PugJr

Posted
Posted

CV, guess you'd hate me as I mysql_real_escape_string everything that a user sends that goes into the DB. Also, how much more efficent can an "integrity check" be than mysql_real_escape_string everything that a user submits?

 

Is there a tutorial on this issue that people have made or something? I am quite unaware, apparently.

Link to comment
Share on other sites
.josh Advanced Member

.josh

Posted
Posted

I think you missed the part where instead of having your script check to see if the user actually entered in a (for example) validly formatted number, it just escapes it and sends it on its way.  So next thing you know, you have a database full of phone numbers like "abc" "abbclksdfja" etc... which guess what, they are escaped...but they aren't phone numbers!

 

You should have been doing something more like this:

 

$phone = preg_replace('~[^0-9]~','',$_POST['phone']);
if (!preg_match('~^[0-9]{10}$~',$phone)) {
  // tell the user they must supply a valid 10 digit number
} else {
  // $phone is valid. store it and it will be stored as 1234567890  so...no need to escape!
}

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.