Hi,
How can I prevent MySQL injection in text fields and forms? Can someone provide a code example?
Is it basically taking commas out of the user input?
Thanks,
Navigation
User login
Advertisers
aPaddedCell © Copyright 2006-2007 InterMedia. Site and all articles (unless otherwise specified) licensed under a Creative Commons License.
pr0gr4mm3r posted this at 13:52—11th April 2008.
He has: 470 posts
Joined: Sep 2006
Running your user-inputted data through the mysql_real_escape_string() is all you need to do.
It escapes all characters that could be used to mess with a SQL query.
drew22299 posted this at 16:40—13th April 2008.
He has: 107 posts
Joined: Mar 2006
I tried using mysql_real_escape_string() by putting the variable that is being checked within the brackets:
mysql_real_escape_string($username);
mysql_real_escape_string($password);
Is that how you use mysql_real_escape_string()? Does that actually stop MySQL injections? I also have PHP checks that ensure the user enters only alphanumeric characters into the form.
Is this enough security for the form?
Thanks,
www.hotlista.co.uk
jbpostal posted this at 08:33—15th April 2008.
They have: 1 posts
Joined: Apr 2008
Place a server side check along with the client side check. Barred the special charecter.
improve search engine rankings
pr0gr4mm3r posted this at 19:56—15th April 2008.
He has: 470 posts
Joined: Sep 2006
Those functions return the reformatted string, so use it like this:
<?php$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
?>