Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>There is a great amount of false assumptions in your question.</p> <ol> <li><p>It is certainly an overkill.<br> Let's examine your <em>extremely-hard-to-read zillion-nested-operator</em> statement:</p> <ul> <li>storing word 'undefined' makes no sense. A database has a special mark for the undefined fields - a NULL value. Or simply an empty string would be enough.</li> <li>unconditional stripslashes adds nothing to security but may spoil the data.</li> <li>htmlentities has nothing to do with SQL security, may help with site security in other aspects and may spoil the data as well.</li> <li>escaping adds nothing to security and will spoil the data.</li> </ul></li> <li><p>You are taking the problem from the wrong end.<br> Your primary goal is to format your query properly. Not to defend from imaginary "attackers" but to privent malfunction with most honest data. While properly formatted query will be invulnerable to various attacks just as a side effect.<br> Say, real_escape_string has nothing to do with security. It is used merely to format strings. There are no strings (data enclosed in quotes) in your query - thus this function is utterly useless (and even harmful). </p></li> <li><p>In fact, an injection via INSERT is no less disastrous than via SELECT. </p></li> </ol> <p>Finally, the right code would be</p> <pre><code>$stmt = $mysqli-&gt;prepare("INSERT INTO testtable (order_text) VALUES (?)"); $stmt-&gt;bind_param('s',$_POST["order_text"]); $stmt-&gt;execute(); </code></pre> <p>and when printing the order text back to the site, use <code>htmlspecialchars()</code></p> <p>that's all.</p>
    singulars
    1. This table or related slice is empty.
    1. POPreventing SQL Injections on INSERT-only queries. Is it a big deal?
      singulars
      1. PTQuestion
    1. PTAnswer
    1. USYour Common Sense
    1. USYour Common Sense
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. POPreventing SQL Injections on INSERT-only queries. Is it a big deal?
      singulars
      1. PTQuestion
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTAcceptedByOriginator
    1. CODespite disagreements, this is a better post than mine. However, I disagree with, "an injection via INSERT is way more disastrous than via SELECT." An injection to a SELECT can turn into an INSERT.
      singulars
      1. PO
      1. USCharles Burns
    2. CONot with mysql/prepare. But anyway, I won't argue such an empty point.
      singulars
      1. PO
      1. USYour Common Sense
    3. COI think the source of confusion was that I was ansering in terms of general strategy and you were answering in terms of the specific tools and technologies actually used by the original poster. Much of my content doesn't directly apply to his case and much of yours didn't to the general case. No worries. :)
      singulars
      1. PO
      1. USCharles Burns
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload