Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>There is no "one and only" way of filtering input like you describe, since no input is inherently invalid or even necessarily malicious. It's entirely what you <em>do</em> with the input that matters.</p> <p>For example, suppose you have some text in <code>$_GET['field']</code> and you are about to compose a SQL query. You need to <em>escape</em> the value using <code>mysql_real_escape_string()</code> (for MySQL, of course) like so:</p> <pre><code>$sql = "INSERT INTO some_table (some_field) VALUES ('" . mysql_real_escape_string($_GET['field']) . "')"; </code></pre> <p>This escaping is absolutely crucial to apply to input that you're using in a SQL query. Once it's applied as you see here, even malicious input from a hacker will have no ill effects on your database.</p> <p>However, this function is both useless and outright <em>wrong</em> to use if you're including <code>$_GET['field]</code> in some HTML output from your page. In that case, the function <code>htmlspecialchars()</code> is useful. You might do something like:</p> <pre><code>echo "&lt;p&gt;Your comments were: " . htmlspecialchars($_GET['field']) . "&lt;/p&gt;"; </code></pre> <p>Both these examples are quite safe from "hacker-like inputs." You will not be inserting malicious data into your database or into your HTML. Yet, notice the two forms of escaping are completely different functions, each suited to its use.</p> <p>By contrast, imagine if you tried to "validate" input for these two uses at the same time. You certainly couldn't allow <code>&lt;</code> or <code>&gt;</code> characters, since those could be part of a malicious HTML attack like Cross-Site Scripting. So, visitors who want to write "I think 1 &lt; 3" would be stymied. Likewise, you couldn't allow quote marks for fear of malicious SQL injection attacks, so poor "Miles O'Brien" could never fill out your form!</p> <p>Proper input <em>escaping</em> is very easy to do, as you use it in different contexts (it's often even easier than validating input!) yet the results are so much better.</p>
    singulars
    1. This table or related slice is empty.
    1. POCreate regular expression to get rid of illegal character patterns in PHP
      singulars
      1. PTQuestion
    1. PTAnswer
    1. USVoteyDisciple
    1. USVoteyDisciple
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. POCreate regular expression to get rid of illegal character patterns in PHP
      singulars
      1. PTQuestion
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTAcceptedByOriginator
    1. CO+1. Domain-specific escaping is the right way to deal with ‘special’ characters. ‘sanitization’ and ‘verification’ are not.
      singulars
      1. PO
      1. USbobince
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload