John Cooper wrote:
> Brian Chivers wrote:
>> I'm trying to insert the text below into a mysql table but it's complaining, I think it's the '
>> that's causing the problem.
>
>> mysql_query(INSERT INTO stream (channel, starttime, title, description, genre, filename) VALUES
>> ('$channel','$starttime','$title','$description','$genre','$filename'));
>>
>> All the other fields work OK & if I remove the ' from $genre it works OK.
>>
>
> Hi Brian, I've only been using PHP with mysql for 12 months but I have
> found PHP so easy to learn and you can rapidly prototype web
> applications. You could use basic input validation like
>
> if (!get_magic_quotes_gpc()) {
> $Search = addslashes($Search);
> }
> // see /etc/php.ini magic_quotes_gpc = Off [turned off for Performance]
>
> if (isAlphaNumeric($_POST['username']) &&
> isAlphaNumeric($_POST['password'])) {
> ....
> }
>
> will stop SQL injection using single quote input while you get to grips
> with more secure methods.
>
> My PHP application called mailmapping on sourceforge.net might help
> with how to display/search/export mysql data (only tested on Linux).
>
> John.
>
>
Thanks I'll have a look.
This is a quite a simple php script I'm working on and not too worried about SQL injection, I'll
explain why :-)
I've setup a piece of windows software called MediaPortal (
http://www.team-mediaportal.com/) to do
recording of TV programs to be used internally after they have been transcoded to Xvid avi's.
MediaPortal stores all it's information in a mysql database along with loads of other stuff I don't
need so what the script does that I'm working on is to look at the directory where the transcoded
recordings are then look up the relevant info in the database & insert that into another database
that I then use to generate a webpage for staff to click on to stream the avi's using Unreal
MediaServer (
http://www.umediaserver.net/umediaserver/index.html)
So as you can see there is never any user input to worry too much about as the data is all pulled
from the EPG so it would have to be a very interesting attack my the creators of the EPG data but
thinking about it could be quite spectacular if they did do it :-)
Once I have this bit working I'm going to extending to transcode to flv files to upload a lower
quality version into our YouTube clone that we run (
http://www.vshare.in/) to allow student to watch
the programs off-site and to be embedded into Moodle.
You may ask why I didn't use something like MythTV or MediaTomb, the simple answer is that the TV
card I had doesn't work with MythTV yet and althrough MediaTomb looks really good the clients that I
want to stream to simple of Windows box's so wanted a nice simple web frontend that Unreal allows me
to use :-)
If anyone would like more info please ask :-)
Brian
------------------------------------------------------------------------------------------------
The views expressed here are my own and not necessarily
the views of Portsmouth College
