pilsetnieks
commented
9 years ago Hi, if you need to store anything in database, use parametrized queries (with mysqli_* functions or with PDO objects). Escaping strings and concatenating them into queries for mysql_* functions is not secure.
You should read this: http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php/12860046
Even though you shouldn't do it, there may be some situations where it's unavoidable (e.g. locked into a legacy install.) In that case you should escape the values with mysql_real_escape_string instead of addslashes. Anyway, you shouldn't add the escaping code inside the class (what would happen when you update it?), you should work on the output. E.g.
$xlsxFile = new SpreadsheetReader('/path/to/file.xlsx');
foreach ($xlsxFile as $Row)
{
$Value = mysql_real_escape_string($Row[0], $DB);
save_value_wherever($Value);
}
Hi there,
first of all: Thank you for this simple but fast reader. My problem: I want store the values in database. For that in need to mask the strings (e.g with php addslashes) I do not want to loop over each value again. Can you give me hint, where I have to add the addslashes command in your SpreadsheetReader_XLSX class.
Thanks a lot jens