SQL Injection


Posted on 16th Feb 2014 07:03 pm by admin

In my attempts to protect my database from mySQL injection I have created another problem for myself....

Currently all user inputted strings go through this function;

Code: function cleanQuery($string)
{
if(get_magic_quotes_gpc())
{
$string = stripslashes($string);
}
$string = mysql_real_escape_string($string);

$string = htmlentities($string);

return $string;
}
In the most, its great HOWEVER... there are three fields which I would like the user to be able to enter spaces in. An "About me" field for example, if it is run through the above function the new lines are replaced with a 'r' which i assume is "created" by the mysql_real_escape.

Question;

1) Should i run the function on every user variable?
2) Is there a safe "fix" or something alternative which i can run on the three fields which may require line breaks.

thanks.

No comments posted yet

Your Answer:

Login to answer
162 Like 9 Dislike
Previous forums Next forums
Other forums

Renaming a file that a user uploads to site?
My site allows for registered users to upload images to the site under their own gallery. Currently

Uploading files/images via forms
Hey all, I am building a database for work that will contain some minor data on plant species along

Forms Authentication and Refresh at Login page
Hello, When I try to press the Login button in my webapplication at my login.aspx page nothing h

Big Problem!! Please help
Hi Guys,

Im making a website for a friend have encountered a really annoying problem. When ev

How to sum these output values
Hi

I need sum the month totals
SELECT region_name, area_name ,SUM (CASE WHEN S

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Google+ Indyaspeak @ Pinterest RSS