From: David Mehler on
Hello,
Got a form that takes in data to enter in to a database. I want to
make it as secure and as invulnerable to sql injection and other
attacks as possible. I'm wondering if mysqli_real_escape_string or
stripslashes should be used or if the former does the latter. For
example, I have a name variable:

$name = mysqli_real_escape_string($DatabaseLink, trim($_POST['name']));

or should I do:

$name = stripslashes(mysqli_real_escape_string($dbc, trim($_POST['name'])));

Thanks.
Dave.
From: Michael Shadle on


On Jul 8, 2010, at 12:38 PM, David Mehler <dave.mehler(a)gmail.com> wrote:

> Hello,
> Got a form that takes in data to enter in to a database. I want to
> make it as secure and as invulnerable to sql injection and other
> attacks as possible. I'm wondering if mysqli_real_escape_string or
> stripslashes should be used or if the former does the latter. For
> example, I have a name variable:
>
> $name = mysqli_real_escape_string($DatabaseLink, trim($_POST['name']));

This would work. Escaping the string should be all you need. As long as you use single quotes for wrapping the column values. Double quotes not sure but shouldn't be using those anyway.

>
> or should I do:
>
> $name = stripslashes(mysqli_real_escape_string($dbc, trim($_POST['name'])));

No... You'd be adding slashes and then removing them here :p


>
> Thanks.
> Dave.
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
From: Shawn McKenzie on
On 07/08/2010 02:38 PM, David Mehler wrote:
> Hello,
> Got a form that takes in data to enter in to a database. I want to
> make it as secure and as invulnerable to sql injection and other
> attacks as possible. I'm wondering if mysqli_real_escape_string or
> stripslashes should be used or if the former does the latter. For
> example, I have a name variable:
>

In general this is fine:

> $name = mysqli_real_escape_string($DatabaseLink, trim($_POST['name']));
>
> or should I do:

You need to do something like this only if magic_quotes are enabled on
your PHP installation, except you would stripslashes first:

if(get_magic_quotes_gpc()) {
$_POST['name'] = stripslashes($_POST['name']);
}
$name = mysqli_real_escape_string($DatabaseLink, trim($_POST['name']));

>
> $name = stripslashes(mysqli_real_escape_string($dbc, trim($_POST['name'])));
>
> Thanks.
> Dave.


--
Thanks!
-Shawn
http://www.spidean.com