TalkPHP - View Single Post - $_POST: Are both approaches equally good?

etoolbox · 10-28-2009, 02:25 AM

They're both equally bad from the perspective of SQL injection: http://en.wikipedia.org/wiki/SQL_injection

Even if there's no intentional SQL injection your query will error out if any of the submitted data contains a " in the first example or a ' in the second.

Once you've learned about escaping user submitted data, I would recommend *not* using extract. The PHP manual page itself ( http://www.php.net/extract ) recommends "Do not use extract() on untrusted data, like user input (i.e. $_GET, $_FILES, etc.)"

There's no sense using extract() anyway, and it may overwrite variables you have already set up, further opening your code up to abuse.

10-28-2009, 02:25 AM	#2 (permalink)
etoolbox The Wanderer Join Date: Dec 2008 Location: Auckland, NZ Posts: 24 Thanks: 0	They're both equally bad from the perspective of SQL injection: http://en.wikipedia.org/wiki/SQL_injection Even if there's no intentional SQL injection your query will error out if any of the submitted data contains a " in the first example or a ' in the second. Once you've learned about escaping user submitted data, I would recommend not using extract. The PHP manual page itself ( http://www.php.net/extract ) recommends "Do not use extract() on untrusted data, like user input (i.e. $_GET, $_FILES, etc.)" There's no sense using extract() anyway, and it may overwrite variables you have already set up, further opening your code up to abuse. __________________ Chris Hope's LAMP Blog: http://www.electrictoolbox.com/