If we used this value without escaping the value, we could
inadvertently give an attacker access to all the records in a table:
SELECT * FROM `#__test` WHERE `name`='a' OR name IS NOT NULL OR
name='b'
We can overcome this using the Quote() method:
$db =& JFactory::getDBO();
$name = $db->QuotegetEscaped(JRequest('name'));
Using the getEscaped() method escapes any special characters in the passed
string. In our example the inverted comas will be escaped by prefixing them with a
backslash. Our query now becomes:
SELECT * FROM `#__test` WHERE `name`='a\' OR name IS NOT NULL OR
name=\'b'
The Quote() method is identical to the getEscaped() method except that it also
adds quotation marks around the value. Generally we should use Quote() in
preference to getEscaped(), because this method guarantees that we are using the
correct quotation marks for the database server that is being used.
Chapter 11
[ 331 ]
Something else we can verify is the number of results returned after we submit a
query. For example, if we know that we should only get one record from a query, we
can easily verify this.
Pages:
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459