in reply to Re^6: escaping special characters in mysql queries
in thread escaping special characters in mysql queries
That was a lot of code... and I did not quite understand it all.
Could you identify the variable names that contain data that later turns out mangled?
$sth->execute( "NULL", $callid, "$fid", "$q->param($fid)" )
Here, and in other places too, the use of "" around variables is unnecessary.
At "$q->param($fid)" it is definitely wrong and will do something unexpected. Leave them out where you can.
There are problems with MySQL in particular where using them might speed up your statements, but that's hearsay for now, I haven't checked for sure.
There's a bit of a security risk where you are using CGI form input as database input.
You are using placeholders in the sql statement processing,
that's good, it's doing at least something to prevent you from sql insertion;
but it would make me feel happier if you tested for some expected/unexpected content of that input before you pass it to the database.
Cheers, Sören
|
|---|