From: David Mehler on 8 Jul 2010 15:38 Hello, Got a form that takes in data to enter in to a database. I want to make it as secure and as invulnerable to sql injection and other attacks as possible. I'm wondering if mysqli_real_escape_string or stripslashes should be used or if the former does the latter. For example, I have a name variable: $name = mysqli_real_escape_string($DatabaseLink, trim($_POST['name'])); or should I do: $name = stripslashes(mysqli_real_escape_string($dbc, trim($_POST['name']))); Thanks. Dave.
From: Michael Shadle on 8 Jul 2010 16:35 On Jul 8, 2010, at 12:38 PM, David Mehler <dave.mehler(a)gmail.com> wrote: > Hello, > Got a form that takes in data to enter in to a database. I want to > make it as secure and as invulnerable to sql injection and other > attacks as possible. I'm wondering if mysqli_real_escape_string or > stripslashes should be used or if the former does the latter. For > example, I have a name variable: > > $name = mysqli_real_escape_string($DatabaseLink, trim($_POST['name'])); This would work. Escaping the string should be all you need. As long as you use single quotes for wrapping the column values. Double quotes not sure but shouldn't be using those anyway. > > or should I do: > > $name = stripslashes(mysqli_real_escape_string($dbc, trim($_POST['name']))); No... You'd be adding slashes and then removing them here :p > > Thanks. > Dave. > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php >
From: Shawn McKenzie on 9 Jul 2010 11:18 On 07/08/2010 02:38 PM, David Mehler wrote: > Hello, > Got a form that takes in data to enter in to a database. I want to > make it as secure and as invulnerable to sql injection and other > attacks as possible. I'm wondering if mysqli_real_escape_string or > stripslashes should be used or if the former does the latter. For > example, I have a name variable: > In general this is fine: > $name = mysqli_real_escape_string($DatabaseLink, trim($_POST['name'])); > > or should I do: You need to do something like this only if magic_quotes are enabled on your PHP installation, except you would stripslashes first: if(get_magic_quotes_gpc()) { $_POST['name'] = stripslashes($_POST['name']); } $name = mysqli_real_escape_string($DatabaseLink, trim($_POST['name'])); > > $name = stripslashes(mysqli_real_escape_string($dbc, trim($_POST['name']))); > > Thanks. > Dave. -- Thanks! -Shawn http://www.spidean.com
|
Pages: 1 Prev: MSSQL failing. Next: Last day to submit your Surge 2010 CFP! |