SQL Injection
Posted on
16th Feb 2014 07:03 pm by
admin
In my attempts to protect my database from mySQL injection I have created another problem for myself....
Currently all user inputted strings go through this function;
Code: function cleanQuery($string)
{
if(get_magic_quotes_gpc())
{
$string = stripslashes($string);
}
$string = mysql_real_escape_string($string);
$string = htmlentities($string);
return $string;
}
In the most, its great HOWEVER... there are three fields which I would like the user to be able to enter spaces in. An "About me" field for example, if it is run through the above function the new lines are replaced with a 'r' which i assume is "created" by the mysql_real_escape.
Question;
1) Should i run the function on every user variable?
2) Is there a safe "fix" or something alternative which i can run on the three fields which may require line breaks.
thanks.
No comments posted yet
Your Answer:
Login to answer
162 
9 
Other forums
Renaming a file that a user uploads to site?
My site allows for registered users to upload images to the site under their own gallery. Currently
Uploading files/images via forms
Hey all, I am building a database for work that will contain some minor data on plant species along
Forms Authentication and Refresh at Login page
Hello,
When I try to press the Login button in my webapplication at my login.aspx page nothing h
Big Problem!! Please help
Hi Guys,
Im making a website for a friend have encountered a really annoying problem. When ev
How to sum these output values
Hi
I need sum the month totals
SELECT region_name, area_name
,SUM (CASE WHEN S
