NYCPHP Meetup

NYPHP.org

[nycphp-talk] using unpack in form reading

David Sklar sklar at sklar.com
Wed Feb 11 13:00:21 EST 2004


> i have not seen it but can unpack be used to prevent sql injections?
>
> i tend to have strict fixed length for my stuff and have noticed if i
> do an unpack on an incoming variable it seems safe:
>
> $id = array_shift(unpack("A2id", $_POST['id']));
>
> is this overkill?

Yes. unpack() doesn't buy you anything here that substr() doesn't. If
$_POST['id'] is "'" or ";'" then $id becomes "'" or ";'" -- there's no
encoding of special SQL chars.

David




More information about the talk mailing list