$_POST: Are both approaches equally good?
View Single Post
10-28-2009, 02:25 AM
Join Date: Dec 2008
Location: Auckland, NZ
They're both equally bad from the perspective of SQL injection:
Even if there's no intentional SQL injection your query will error out if any of the submitted data contains a " in the first example or a ' in the second.
Once you've learned about escaping user submitted data, I would recommend *not* using extract. The PHP manual page itself (
) recommends "Do not use extract() on untrusted data, like user input (i.e. $_GET, $_FILES, etc.)"
There's no sense using extract() anyway, and it may overwrite variables you have already set up, further opening your code up to abuse.
Chris Hope's LAMP Blog:
The Following User Says Thank You to etoolbox For This Useful Post:
View Public Profile
Send a private message to etoolbox
Visit etoolbox's homepage!
Find More Posts by etoolbox