March 2006
Beginner to intermediate
448 pages
13h 33m
English
Content preview from Head Rush Ajax
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
333
these pages will self destruct...
Q:
mysql_real_escape_string()? What in the world is
that? Did I mention that I’m not a PHP programmer?
a: mysql_real_escape_string() is a PHP
function that escapes any special characters in a string, and
makes that string safe to use in your SQL statements. It only
works for MySQL databases, but you can find functions similar to
this for all the major databases.
And it’s OK if you’re not really familiar with PHP or these
functions. Remember, the point is that you’re talking to the
programmers working on the server-side components of your
app. Just tell them to be sure that they secure their scripts.
Q:
And all this is called SQL injection?
a: SQL injection is just one type of security risk for web apps.
When you have form fields that are used to build SQL queries,
hackers often try and enter special strings—like the one you
got from
PROJECT: CHAOS—to try and
get information out of a database, or insert bad data into the
database.
The bad news is that there are lots of other types of attacks you
have to worry about... but the good news is that with validation
and a little security on the server, you can protect yourself
against almost all of these attacks. So go forth, and secure!
questions
Frequently asked
?
lookupCustomer.php
<?php
require(‘lib.php’);
function go() {
$myVar = ...
return ...
}
?>
Hypertext Transfer Protocol
POST /placeOrder.php HTTP/1.1
Request ...