PHP - security etc

Andy Armstrong andy at
Wed Mar 7 15:42:44 GMT 2007

On 7 Mar 2007, at 14:30, Michael Stillwell wrote:
> But no!  For some monstrous reason, any *value* that starts and  
> ends with a single quote "will be taken as the name of a file to  
> read and send to the database server as the data for the  
> appropriate placeholder."  So if $name is "'/etc/password'" the  
> *contents* of /etc/password get inserted into your database.  (See  

Yeah, evidence that the PHP team don't understand the semi-predicate  
problem and its friends abound.

See the ridiculous 'magic quotes' switch for similar stupidity.

Andy Armstrong,

More information about the mailing list