Greenguy's Board - View Single Post

codemonkey · 2005-02-24, 01:50 PM

Yup anytime you have a database query that can be changed by the user - when using $_GET $_POST $_REQUEST $_COOKIE etc always check the input..

Use the mysql_real_escape_string function in php to clean the input before you put it into the database. This will help to prevent SQL injection attacks by quoting out special characters.

so when inserting selecting etc always do this..

PHP Code:


			
$query = "SELECT * FROM table WHERE user='". mysql_real_escape_string($user) ."'";

i got fed up of typing that so i made a little function to make less typing - what can i say i'm a lazy coder

PHP Code:


			
//Escape the string for the database and add single quotes



function quote($value){

    $value = "'" .mysql_real_escape_string($value) ."'";

    return $value

}

So your code is now...

PHP Code:


			
$query = "SELECT * FROM table WHERE user=". quote($user);

Hope this helps someone out

2005-02-24, 01:50 PM	#2
codemonkey WHO IS FONZY!?! Don't they teach you anything at school? Join Date: Oct 2004 Posts: 44	Yup anytime you have a database query that can be changed by the user - when using $_GET $_POST $_REQUEST $_COOKIE etc always check the input.. Use the mysql_real_escape_string function in php to clean the input before you put it into the database. This will help to prevent SQL injection attacks by quoting out special characters. so when inserting selecting etc always do this.. PHP Code: `$query = "SELECT * FROM table WHERE user='". mysql_real_escape_string($user) ."'";` i got fed up of typing that so i made a little function to make less typing - what can i say i'm a lazy coder PHP Code: `//Escape the string for the database and add single quotes function quote($value){ $value = "'" .mysql_real_escape_string($value) ."'"; return $value }` So your code is now... PHP Code: `$query = "SELECT * FROM table WHERE user=". quote($user);` Hope this helps someone out __________________ BBW modelling competitions