Actually I recommend you DO use mysql_real_escape_string. One diffrence between mysql_real_escape_string and the `standard` add slashes function is that the mysql_real_escape_string take account of the current character set used in the MySQL database. While its unlikely, your end user may be using a diffrent character set to the one you originaly designed for thus rendering your script vulnerable to SQL injection. Also you should also remember to take into account magic quotes as the data may already be escaped and by escaping it again you effectly corrupt the data.
Originally Posted by Lolcopters
Results 11 to 15 of 15
Thread: SQL Injection Protection
-
-
I run into that the other day, fixed it with: Originally Posted by Tomm
I never thought about the char set, I just add slashes then pass it through an input filter.PHP Code:if (! get_magic_quotes_gpc ()) {
$var = addslashes ( $var );
}
-
Not too much need for tooo much validation on my part, how do I limit characters, I want to limit to like just a-z, 1-9, ',./;&$%@!()*" That's the sort of stuff i think of as dangerous, I don't use magic quotes tbh, I have ALOT of validation on the login, but I'm talking about inside, just so as to not corrupt the data, like I was doing a form, inside a form, which just closed the textarea element and screwed it all up, so on that note, all I need is addslashes and mysql_real_escape_string() if I want it?
How could this hapen to meeeeeeeeeeeeeee?
lol.
-
All I usually do is addslashes in input, stripslashes on display.
-
Okie dokie then, I'm making a site management system
Wait, I.e.:
$input = addslashes($_POST['input']);
viewing:
$output = stripslashes($row['input']);Last edited by Hypertext; 11-03-2008 at 09:10 PM.
How could this hapen to meeeeeeeeeeeeeee?lol.
Reply With Quote
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts